23542300x8000000000000000102738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:06.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6544BD64D1F229858EBB11C99E9EAD72,SHA256=AB59EFE54A177761500E684B213C19AF0547D58A7633074CDAAB7C4BC313756B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080567Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:06.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579B703F840423E33DD9AE14E7604424,SHA256=35DFBE587098D382E348C8604D15C32167CFC48719E18EEF8B5C15E9C6C9B741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:06.467{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56D19E3B21A48586D25B0764E503BD45,SHA256=5B8A1063DFE542654498878A70E4ACE182FAF2B18BA7B35E853E857076F7F060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:07.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9767DE53C738D37A9F67D663706D6C0B,SHA256=5801F39F503CE728A50F5570A998696D47E0A837C837878222D3D54B96E848DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080568Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:07.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2E959CB86316A633C23237A3013C96,SHA256=55BBFF4635EEAE1C4336725319F090B5437F05C109736F56F7CCA41E6B6F45EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:08.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58C551547197ED141469C34CC7833D3,SHA256=BAEEEF56C22F01D91E2B15D9D51CB556F1BBFCB13A8C6575C3F8FAA6949602BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080569Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:08.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1C85FDEF5EC34AC3B4AD3926F6B857,SHA256=A5268D46D7AED15C09FB2443681F35C3D13FE0BB1686232F9E8CC0F92DAA842A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:08.322{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49460-false10.0.1.12-8000- 23542300x8000000000000000102741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:09.889{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28701A3580949B510134075EF35997B,SHA256=3FC0C8BB003AF3D61E2B20AE00FCB085F088292BFECF8E3379C49BD3B6A4DD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080570Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:09.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8536012A723A875C2893F55B0106E1D,SHA256=FAAEF8151157DD13827E8BC25126082434DD8F3BF94B6EC116B12AA9A3AE6E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:10.904{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896FF5DEDE7B2B0309091EB74F245F8,SHA256=51C9D21F3E90371B4A6D8AB8F6A5106EE550B2EB8C5A6E89E3A620B54F6378A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080572Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:10.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9E664BCEF8D689ECB632B79A0583B,SHA256=F4D7630C8CE734C355E0C8ED71CC1923651AD2BDBA853A23FF7EA1AF5AEA6738,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080571Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:07.808{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49970-false10.0.1.12-8000- 23542300x8000000000000000102744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:11.935{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E752AE807AA9C5F4FD033D26116D186F,SHA256=0FEF76677DF3B831916A307576526D68D3E32AF8535D6E017CF4206D5F2E559F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080573Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:11.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF7ED0459F4E762879212BADB4675D6,SHA256=449F4582975405E75F1152BA6500A16925EBF61E16E5429F8C3DB834CF2F3556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:12.935{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAA14D8ECCAD98DBB60FC0D5E51C01E,SHA256=70C7ABDA8919990A5E1453F341CB98BCA7C787B1C2C61711B83AA920C48D9CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080574Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:12.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B861725B30900F6C81D99B4E8C297E2,SHA256=1B1EC3E92DC420F772A8568F7309C0F839920E0923DD839FC767294B7F2C438E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:13.935{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A433B020AA70D5D65B736BDF8846B785,SHA256=DB0E269E56B20537E301ABF9DAE747E03AE8655C0017B844AA7AC977BEF59A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080575Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:13.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB15956867803969C61DF5541687545,SHA256=6289D805EFF082A811CDDC8090C3EC5FB749B367FFC3ECF6EC9CE767B3E2C8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:14.937{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D52C7A916302D4FBA5089259D0CE1B,SHA256=1EEF206111033FEFE61F361E28F74EFD87931F62945B45E22EE99C324A1007B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080576Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:14.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9C166D2862A33E3CFF9A93593F72E8,SHA256=D638AE85E5FE68B1A0D22BAEF5B75DFBF77928D57D3DE2F398FE5D5296ACE781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:14.611{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-018MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:15.947{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2162D05F93C7C31DCC8882A482DF9E2,SHA256=70342E969BB76162FF34F5A4267EE4ED310CDFB0443A107B9FB7B0A8FF8CCC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080577Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:15.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DCEFA0530E2F19B2FB7E583CDC94A6,SHA256=0A5B2D509F32CDD68E12BA9B351B7991FB5C82E90488535F74377C71D6B769EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:15.610{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:16.952{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B6227C07A438B0F7551A7DF73DDD59,SHA256=0BA887626D8E311578BCAFECCF35AC1E26BA4BE636381360E0D3EE49CE3866C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080579Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:13.822{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49971-false10.0.1.12-8000- 23542300x800000000000000080578Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:16.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D36B6635EF547191E9D4F5CF71CF248,SHA256=755547B11A6C9FB2AD28C9BCCDFC80BC47F49F0FD72948560BA0257F5CDF5712,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:14.307{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49461-false10.0.1.12-8000- 23542300x800000000000000080580Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:17.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23381FDC77CF5BDCDB4A09D6B453178,SHA256=FBD54D43E747DF08A4A6F3C111903FBBBADD8A1789553B5C1A493051833584F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080582Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:18.956{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=40D1E2B2E43ADF8CE4EB3646B043C216,SHA256=ED49F5201BCA5E926723AA0A849BA42F06B70A89E075CEF628CF46718DF588E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080581Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:18.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1662D6F5DD9753CBE4C2905919E38204,SHA256=3665130A240B5194F566993510B4B0409F683AE718235E1F93672122D3A5FE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:17.999{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D286519B9E09EBB756CFFAC355532241,SHA256=F1F1D88D84ABFE1CF4D18C9B4CB78D9D0B1C9D928EE3F8DA382E22054B199D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080583Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:19.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6EF111BAB15AC0A9B372C59F58670D,SHA256=962BB763AC714A4D2646C65A235F5BD5ED8815D46C16D0DFDE3869A510A5C465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:18.999{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7626A88247AC245A675184E29E2A3C38,SHA256=06B279F07B53F9C503676788E7387B14B981BD2385E6FE7DC9D01BA2B79A76BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080594Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:20.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80272EBF8E8BB3B7EF18A38C1F645BB2,SHA256=81CB391E8C22C110257CD5D3ECEC7C84A33E99D5415DB3AEAB362FD96D03C9FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:20.014{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A72BD4A70154A5005092C3623B4463A,SHA256=5FD4B2B2A8F0EA790CF5F151FE9DE1804625AA915E2EC3C9F5E965F8A2CB8EF9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000080593Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000080592Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0012f6bc) 13241300x800000000000000080591Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8eb-0x89cfe020) 13241300x800000000000000080590Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f3-0xeb944820) 13241300x800000000000000080589Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fc-0x4d58b020) 13241300x800000000000000080588Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000080587Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0012f6bc) 13241300x800000000000000080586Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8eb-0x89cfe020) 13241300x800000000000000080585Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f3-0xeb944820) 13241300x800000000000000080584Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fc-0x4d58b020) 354300x800000000000000080596Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:19.616{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49972-false10.0.1.12-8000- 23542300x800000000000000080595Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:21.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AAE5879A0F5D040B031B98053832BF,SHA256=E5FC9BAA7C40AA37AAC393852E51DCD6A716A74F967A63FE387F981A4665C6A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:19.433{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49462-false10.0.1.12-8000- 23542300x8000000000000000102756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:21.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4637AD3486D15BDA6CA7FFF1312457C8,SHA256=CCC69E02715C83C7FA7982A613633A3465113179F81502ADF10BB062945912A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080597Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:22.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD7B6C28A7B152287C3B252D571F753,SHA256=D13B5CFA1E3469AB50C06B068CA2648DA57ECDB358C588CD2538ED6A556A5557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:22.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5790F67BA6C1C7F7C1BB5CD4B89CBC40,SHA256=2271454782D5452DD2EC4E4FAE5A409E6DAD46FA1446159192693E691FC39308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080598Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:23.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604CCC3BD26AF8CC0B78C5FB0A4446A4,SHA256=C72C11085D62F4AC2C183CF848AADAECBED742E8428626996ECEB746A43A3451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:23.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221AF4B17050F45266BC046B81FB0FD7,SHA256=AF2B1A386E7FCF8DFA43C29C73E3850B12B99FD7DD52A958D3386B104462D71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080599Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:24.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E5A40E69428BF2527E6F88CF5CF730,SHA256=08F51A6194705DEE1636773FBF55E3B9531809265F0AA1B6C353BB09E30CF73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:24.045{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE2F5CF3BB5CB2C4F1C5AAD355E2F9F,SHA256=74EE1C357CCCD1DC2B7E62D65E7110C82ADFCBC03522CA48CE7F7307F01A2141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080600Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:25.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2EE3947B5882EAE6E132AEE16E3C3A,SHA256=2260ACFEE052C7F86C1FE64628ED89EE46B11976E375DA7572B06CA8E3B1E0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:25.061{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14263F565830565BB57F1F7C631F9CDC,SHA256=3DF0896FC7381FDCAB46653A2F5C6C3344C2E506A152BCA34CFDB1543084AC6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080602Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:24.664{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49973-false10.0.1.12-8000- 23542300x800000000000000080601Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:26.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93756FA1C3B667D5347C54C5E99A058A,SHA256=6EDC8178240BE5C976200D8CBA5CB6E87DCC564CF2F99E486FC2E8B0B4D73714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:24.479{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49463-false10.0.1.12-8000- 23542300x8000000000000000102762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:26.061{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5436B9C6DD8950417D6213C4A6DDBF3,SHA256=1AFED5811EB8986C934A262B3918C84E3ECE1BDC7F6D05458402D6B00A992EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080603Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:27.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA73EAB9C46B132E82AB8B564874A0D,SHA256=461ED8143E3F27E205A7489961549C9025A7AB667A80666E08F5947A81C5D932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:27.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09CEA5CB9C9B6A9A586DA1F1C2CACA5,SHA256=05CBCA4C7E511571E9DB3B84FD4AC1A0399A3575A428C90392768233ECA431CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080604Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:28.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E7A439E5D1790BC50ADFCCCC04AE6D,SHA256=A752760D9F57C39A05B1B6C67B42D0EDAD8A3AF54191F125847D7654CFE6DE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:28.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EDB70A850ED6D74E7B82E3798B0B78,SHA256=6BAA486145B8204A32353A7E1D1040A7D35951BA87EFE7DB29478E27A25E57B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080606Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:29.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2B21B22FBA328702EE1CB0A62AE294,SHA256=2418CD38E0BF7AB1FF3D8F6D670AAD856B686561867353366208970C51D2DEDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.639{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000102768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.639{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-ACA4-615A-0A00-00000000FC01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.639{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-ACA4-615A-0A00-00000000FC01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.092{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEB860633C077F65A3F9B72494F2D9E,SHA256=5F47DBEC310F5DB19F82EC9D7AEF9EC542B16FAF940B1860087439CB9486BE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080605Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:29.566{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080607Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:30.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAB19D0A4775D90B8DF78E599D7D7DD,SHA256=8B54AC6C71776F264FBD039EDA687E78AB6CA14005B3C73224C5E04A9662C726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:30.639{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1A349657D2B34F081817F8C66445382,SHA256=A77DD7D3087FC59013A76A9EDEFC69BD638B779D6DB147ADA6420D4A9BC130F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:30.639{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A67DFA500CF266866DB40968FB6C753,SHA256=D254055DF6A3DEA7B2B85E9CD6886ADD65F40BC8234E20C078BB59C021E4C876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:30.092{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E788DCF94CF6B16D8460C9E8024B827,SHA256=8B47013EE8E7E5A967953BB04114BB139907F277C716202269555BE0F7BF57B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080622Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EEC33CEA31F972236AFD44FB694710,SHA256=3C34EBEBC9925780D0BC46B435A469FCC9B5341268BBB0CF8FA5BFC169FEDE3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.871{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49465-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000102775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.871{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49465-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000102774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.495{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49464-false10.0.1.12-8000- 23542300x8000000000000000102773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:31.092{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B987AB5E68A518764ED866892B4398,SHA256=9DB518F1534904EE881D261C2315EA9852948E8F4B11CDE4D725BDC91ECF57AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080621Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B157-615A-2601-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080620Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080619Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080618Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080617Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080616Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080615Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080614Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080613Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080612Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080611Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B157-615A-2601-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080610Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B157-615A-2601-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080609Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.458{2FDD8D40-B157-615A-2601-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000080608Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:29.102{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49974-false10.0.1.12-8089- 23542300x800000000000000080640Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A960377D88D0F04A817CB07B24933FC,SHA256=E79CC9D7911FDC6460F2541940C9A40F2C5E388728D493E74EFAED6DBB14ED8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:32.108{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89287E0C6454712492A3C0DDF613ABB,SHA256=0C4FCF3EB7DDA56A0ED868D3C034AA87D7C1BAF73F4E7B78D2A85DF19FF824E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080639Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.473{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=017B48EBE099F18A89F3ABED3A51EBBB,SHA256=54A57991C3304058AF1FD5974A808E5CB0A6215442BC484F545328046EFE7902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080638Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.473{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C6FBC07CDF2178D2265B8876DBB7BA,SHA256=BB4FDE5D6A2BCC87D3A051776D6550D0878FA98A23027C640C7844B3A3931C30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080637Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.191{2FDD8D40-B158-615A-2701-00000000FD01}11601892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000080636Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:29.743{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49975-false10.0.1.12-8000- 10341000x800000000000000080635Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B158-615A-2701-00000000FD01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080634Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080633Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080632Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080631Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080630Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080629Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080628Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080627Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080626Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080625Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B158-615A-2701-00000000FD01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080624Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B158-615A-2701-00000000FD01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080623Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.037{2FDD8D40-B158-615A-2701-00000000FD01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:32.045{58E9C193-ACA7-615A-1100-00000000FC01}3601500C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:32.045{58E9C193-ACA7-615A-1100-00000000FC01}3601500C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:32.014{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=62DC105C878727A5459A7BC188C8AD61,SHA256=4FDC2EB348AC00A7A5CFAA5BC67139F89B08B6A448078518B259133A5DCF4476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080654Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.723{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABA839AB51CADFD224A44410DE62B28,SHA256=95245C25B4832EC967A998E41E45194D3939008CB181B4C82623B1351E9BA9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:33.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B612ADB1B2F622CCA716C0D01DA0AD1B,SHA256=E362750BCA64CDE41A6A7FB4152241BFCF76A75AB2956784EF01A01AA041925F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080653Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B159-615A-2801-00000000FD01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080652Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080651Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080650Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080649Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080648Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080647Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080646Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080645Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080644Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080643Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B159-615A-2801-00000000FD01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080642Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B159-615A-2801-00000000FD01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080641Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-B159-615A-2801-00000000FD01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000080670Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.926{2FDD8D40-B15A-615A-2901-00000000FD01}34202652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080669Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E31310A7D291F9A00AFF4147004F15,SHA256=1A32AE7FF58468E1E2682FF52415D9F6B088D74F2AA4F3B3BB265E17CA575AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080668Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B15A-615A-2901-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080667Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080666Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080665Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080664Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080663Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080662Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080661Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080660Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080659Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080658Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B15A-615A-2901-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080657Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B15A-615A-2901-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080656Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.739{2FDD8D40-B15A-615A-2901-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:34.327{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDFA58296DFA9AB94F58E82F73CA71D,SHA256=2C8054F106875B24D6CB4B803FEE7CF72F97A3F21B57F41B45B3077CC8D4B058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080655Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.238{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=017B48EBE099F18A89F3ABED3A51EBBB,SHA256=54A57991C3304058AF1FD5974A808E5CB0A6215442BC484F545328046EFE7902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:35.342{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE68AC0F68B35AA76272E2772F22DAE2,SHA256=DA4C6808258CA4F9002FCD2A214EBFC01D50A6937380F2A2F8EDFD7B3765599E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080684Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=913101C53D509808F5A38F42BA1A7F03,SHA256=E147A51860F71C059D612672044D56E653B17766FA32348993081118399F718E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080683Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B15B-615A-2A01-00000000FD01}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080682Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080681Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080680Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080679Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080678Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080677Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080676Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080675Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080674Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080673Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B15B-615A-2A01-00000000FD01}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080672Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B15B-615A-2A01-00000000FD01}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080671Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.789{2FDD8D40-B15B-615A-2A01-00000000FD01}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:36.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7235FE16C85A64BBA5B41B4728BF42D3,SHA256=55F45D91FF5B6B2C2293B050DE423B2B1DC6D48CC1D735B17056EDAF72B92EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080701Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.788{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00D7B1B42B881E49E79CE6277611F25F,SHA256=79A9A507CE96577B4ABCC1629AB302571CD61378267A4A0F9A3B5E85C2E682C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080700Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.726{2FDD8D40-B15C-615A-2B01-00000000FD01}14123212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080699Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B15C-615A-2B01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080698Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080697Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080696Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080695Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080694Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080693Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080692Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080691Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080690Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080689Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B15C-615A-2B01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080688Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B15C-615A-2B01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080687Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.570{2FDD8D40-B15C-615A-2B01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080686Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.038{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A118C9E46613FAAD962EEF7F41E263A1,SHA256=1904375D328DD337BA7385760E7DCA4B2FD321221B04277D5F6E97A3A2CB23AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080685Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.022{2FDD8D40-B15B-615A-2A01-00000000FD01}27162868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:37.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BAF06B1F159315782D0DFEF6C05B7C,SHA256=6F1140EB47749E50CF229C8D42F2FBA4FD3BFAB455BF4CE6F20696FD2B6FB157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080702Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:37.038{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B6654BAC65744FA89957069709568A,SHA256=CEB8DF41B6EF6E2DCD9977F28BD0D4FA2541E70D7BE9DB1AB2208DFFC4DBDCBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:35.355{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49466-false10.0.1.12-8000- 354300x800000000000000080704Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.683{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49976-false10.0.1.12-8000- 23542300x800000000000000080703Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:38.038{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBC35A400DE4F8BF15D4D42F391B9EA,SHA256=1400CA0210185982F099A3AAAEB108C464C66F8F2D4E6409D879AF8651BA8C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:38.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBA93D3E347DE88B3FEB9EC9992AD21,SHA256=EB57FA2BC914871DBC5E64D6BE1513B71C9D13EE7BDB71C70AC5DC8FCBDCFBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080705Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:39.054{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DBD214CACD586A899556BA3640587F,SHA256=01FD17930229F90D394855BAA9FE17822CB4EDEF4EE6AFA2FB4EFB9690579E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:39.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FB84EE3CC59E202D168FF175078507,SHA256=DC92B3E4CFD3A1650CFE1D48ADD190E219133F272506F703106632CFC56B1DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:40.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC723C5E1986039334DC0E97D9490CAA,SHA256=3C79FAEA64E0E736CD9350B15AABD40E3DFE51C98663CB26F09929332A9311E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080706Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:40.085{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281E63EE9E8A3998B93FDE8E2E60DFA3,SHA256=5EAF135F32F6557EDD4AAEFE664ED439A346B6C8C20DEE5E583488C61EBA3C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:41.403{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B54B18E1EB057CDC45465A655903761,SHA256=12D4FBF9B7674EFCB8F6E0E08557953404852C2E4D5F045F6B093AC3A16170C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:41.403{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1A349657D2B34F081817F8C66445382,SHA256=A77DD7D3087FC59013A76A9EDEFC69BD638B779D6DB147ADA6420D4A9BC130F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:41.403{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA25E604E138B3BB69B7BD9877845826,SHA256=79D7A77C36327B2BB5355085C1C0B0A513F982144EBAD4EC2072A183AB9DF616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080707Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:41.085{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA621B95E0557EC1A0EA916122FDE84,SHA256=09C9941981466008D57112757AC4986D5373711F6AAD31A01E7C129831FC38D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:42.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746BEB947FBFDF78F87BD8B7FB2A3482,SHA256=C887B3ABAC9B30FC36B5A2005B08BA7AC6738192A273EC2C209D6925CAD43F9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080709Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:40.730{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49977-false10.0.1.12-8000- 23542300x800000000000000080708Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:42.147{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CEC77D2780926BBC4FB7191ED7AE58,SHA256=6506D39BD23E2E2F7B01EA15C2C0113E4CBF546A2A9C885C6969267C6D63CD47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:40.400{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49467-false10.0.1.12-8000- 23542300x800000000000000080710Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:43.382{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DF6A0E28D1A49C3C495005657E3524,SHA256=84A395E827D9E83AEBC90AAE871BECF3663E399985526D579E75FC7F40E093F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:43.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B2BED39EA58C992BDB9BCBBDA8FA3C,SHA256=6877FC06D1187ABCBF509F6BDD074B0404320DB1FECEEBF0444DCD27D89133FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080711Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:44.413{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8D829A2CCEC425CC7E17B297034F14,SHA256=FE957D6AC373CF44BAA57433108E4C663F968C5FB0988E2E6DA4DD4B591B1899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:44.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26C5FD048DDBC83D798738C0311501E,SHA256=F9E3A5C8D4B92EF2A7924A56E078C2BC27154C54664C00F48FD8BD1CBDB229F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080712Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:45.491{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EFDFB4DD109E7F3D8F7FD8F2E15690,SHA256=B1C40991687E6BD97885D2C7D7D5808EE91897C009DA800BE3397BC8C25DFD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:45.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94E9634718C0BDA4B3D91F04E552AB6,SHA256=A3945BBC15378D2A61FFA43B7E54F7C07E73ACF2C7DCF0D5C3B3B27060E7DC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080713Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:46.507{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B553C182B622DF8885C31D5B26E00F94,SHA256=410F17FC9E9301457034157B027C3AD5CBCBB01E4828F6E582B26C2E78107969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:46.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2A3534E758D8FAB92F236A74E2800C,SHA256=17BF458F1250CBE40E08DAD68559EBBEC76CEC966D50F622F8519C4083528C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080714Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:47.554{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E216685F57A0C5095901E60395F2B8,SHA256=324E4031A348447B65D2D366CEDE2E4069A503AB7CFFC756BD060EE1D6A8E5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:47.483{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA2B82BA981D6EE72D893FE7C048F22,SHA256=F9ABF4BA4B7BF406149BFB49E775D465B904E1E454609B567C62B6B2B7A749C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:46.371{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49468-false10.0.1.12-8000- 23542300x800000000000000080715Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:48.554{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236C69552DBE35C1A249744067BE891F,SHA256=0FBB5088DE2B5DB1E1BE6D73B1ABDD35039DD104349D12E5659F358D0A80174F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:48.514{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8091D918BFC71CC99E0A39A1FB968E28,SHA256=B0B63F04BE831B25BE83D9B80D3BF9EB9C656FDCA49D40F95F5CFC4B6AA19529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080717Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:49.554{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED64EC0F9ACF06F3B91D78BC767BBD1F,SHA256=8418609AB75E73643D05A19496F93D108BE3959BC15202F1619A9ADBDA7435DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:49.545{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B65AE17F5CA448FB501C6DAEF2BD005,SHA256=399308FF3FA9C7DF4589BF896C5AF650656DA1B1F695DAD0C10329B0AD3C273D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080716Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:46.589{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49978-false10.0.1.12-8000- 23542300x800000000000000080719Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:50.554{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D01744718328E9D2550631F6778A1BD,SHA256=CE8CDEF424A397D14995CFE06AFC772BB7C8F0A6DE3EA19C114DD2F9B08FA8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:50.561{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65F44D5FBABD921D3C2BED6D2485467,SHA256=3E3BB75EAD0938E69E0CFFF5AD89E5D6F0A115DCA7C82C8BB913FB7B7E102AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080718Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:50.494{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-019MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080721Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:51.613{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF8DE1AAFE052847C96E7F89878103C,SHA256=732BF0BC2E6245DF3019ED4BDC7E1DC8F163060717CC4A7DFA4C4998E63DAE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:51.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EEF796AB4A1DC3587933E5D3B5107C,SHA256=CA257487C397BF27E1FF0CE782344628BB5B6594C62F8A431C07657F173A8A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080720Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:51.492{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080722Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:52.725{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E246AEA6DB63CACCA58D5D8664C6E4B,SHA256=F8348D81DE926D6FE5077ED1BE8474409B06D69EE20909FA63FEF66E77249B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:52.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B788C2737D38C2909E03DC78E15223,SHA256=97F118CD4760F10349F7859B0A81E6DFF6DBA35BDFA65ABD0B169F1F5F36A5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080723Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:53.772{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233E23D23A6CD50F70E2BFEFF0F62491,SHA256=D5BFB9B5CBBCCD11540648E651294B0FBA11FF958EEEF50728735599AB765BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:53.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E355F87ECE11968257CB2AE2719F7C,SHA256=1579E58E2ACFB6F145A8D479161F38C8592FBDCD9904708B65DA95B0FA00FB82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:53.389{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-AE66-615A-BF00-00000000FC01}4620C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000102806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:51.371{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49469-false10.0.1.12-8000- 23542300x800000000000000080724Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:54.788{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF103102A699FB69E879DDAC8604E39D,SHA256=B52C1BDD4BEFC02044973CAC97E4567128931763AF582715A8195B54B04F202F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:54.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FA1EB9F2DADB380BD2CD3119A4F728,SHA256=B0394093868EE6019087C9B3F30D304A85CDD7641EBD664703F9BF4649AE10F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:55.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B090D30B23C1D410AECF58852F689F30,SHA256=E568D7EDE97200D2A46187A7940F6F05DF18394EE16935D418B1F97A5DA821D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080725Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:51.667{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49979-false10.0.1.12-8000- 23542300x8000000000000000102812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:56.736{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:56.595{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6882614047A9947CF6666E8AE7FDD96,SHA256=A2D3BC6142F056D9BBED8E8F410297527030E1843B4BD6C0F6EC4C62C1652CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080726Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:56.027{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06FE4B42766C97B709A37363A440D10,SHA256=DE7A9D61598416FCDE1BF8D9E20149327596CD08677FB9D96057E272946F69D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:57.595{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7D470977AD1B750397AC7DC39DB558,SHA256=F2C7213A77C75B4014ADDE5739B868DFB07D7BD72D7A2E304EF233A1C99664A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080727Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:57.090{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5200D38F009F50C299E849C73B1A87C1,SHA256=31EEEE9F478AECE651364903E40845AA2272319A1E70A1C563F4F8E79F635F6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:56.421{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49470-false10.0.1.12-8000- 23542300x8000000000000000102816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:58.595{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F13F8ECB26328B0ED4FC9FF5B1DBA26,SHA256=27041F9FB6382D88CDE54DCB4EA311AF4557C2ECA2F07217311EA0D59A4D28EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080728Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:58.137{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD058518222EDE4ECCCC14107EC8686C,SHA256=154F04EB3211488D45166D19E791ECE7716763B3DF7233F00107617FC8C1192A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:56.968{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49471-false10.0.1.12-8089- 10341000x8000000000000000102838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.924{58E9C193-B173-615A-AF01-00000000FC01}66607100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B173-615A-AF01-00000000FC01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B173-615A-AF01-00000000FC01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B173-615A-AF01-00000000FC01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.768{58E9C193-B173-615A-AF01-00000000FC01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.595{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8559D3EB60A5FD57B2C13A3F8A673305,SHA256=EBBE6CF9A3FD3D1C819292C375682C409C327B59B61C911DB219F3991DDE913B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080743Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:56.814{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49980-false10.0.1.12-8000- 10341000x800000000000000080742Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B173-615A-2C01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080741Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080740Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080739Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080738Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080737Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080736Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080735Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080734Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080733Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080732Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B173-615A-2C01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080731Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B173-615A-2C01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080730Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.153{2FDD8D40-B173-615A-2C01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080729Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.137{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21A9B0E5BD712FB9523741BDECF90BE,SHA256=E2A6E6C0586D58ACEDE88194571169451BCBDD3ED6631B4A63C5FB6401DD8655,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:58.202{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49472-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000102827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:58.202{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49472-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000102826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.127{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BC12E37A5B32F2EFAE4DBBB0E7726E0,SHA256=F81C272252688F0671061F29722AA1244F7C9C9D141884789B78794D86B9F793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.127{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B54B18E1EB057CDC45465A655903761,SHA256=12D4FBF9B7674EFCB8F6E0E08557953404852C2E4D5F045F6B093AC3A16170C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B172-615A-AE01-00000000FC01}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B172-615A-AE01-00000000FC01}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B172-615A-AE01-00000000FC01}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:58.690{58E9C193-B172-615A-AE01-00000000FC01}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.767{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BC12E37A5B32F2EFAE4DBBB0E7726E0,SHA256=F81C272252688F0671061F29722AA1244F7C9C9D141884789B78794D86B9F793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.611{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E99468D10F7DB816FBDC07DEFAC4C9,SHA256=C310AB624ACE63220D6A61E1EB65228C5C16E4F6167FBF4DCC4F0E923939F23B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:00.611{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000102848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:00.611{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Config SourceDWORD (0x00000001) 13241300x8000000000000000102847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:00.611{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_4D264F37-7FD1-4957-AA29-D51476710399.XML 23542300x800000000000000080746Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:00.371{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C784399AE2EA0A942856DB3025253E,SHA256=66D770CB9D134DF2F6793933EFADF538671239FBCFA00F4900C3E123363D5B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080745Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:00.371{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8652467FC160FCDD5F0AC27EEF1C37F2,SHA256=E553099C040A555C26875AD56F79C0067880D37B50924681534D974F63BE28AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080744Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:00.137{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410EDED15D3950DCBFBDEE557D00BA5B,SHA256=F668F28422A1E3DB808237B921EFA594FB0B8EE3A3ADE1699BF2B579D100D814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B174-615A-B001-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B174-615A-B001-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B174-615A-B001-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.440{58E9C193-B174-615A-B001-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:01.627{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3636E3498315D2374A7A9F0D681B9F6B,SHA256=74DD84F5F864294C7D0E78DF6ECBFEAD24A3BAB7CABFE235E2BB5832E3EC157E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080747Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:01.137{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1AF155A3E5B18E7252A300D5A1447A,SHA256=DC814EB01F0A36B4CCD9C5E13163E55566AA651BEE6595BC6F7A60CB521D7083,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:01.452{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49476-false10.0.1.12-8000- 354300x8000000000000000102868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.855{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49475-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000102867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.855{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49475-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000102866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.847{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49474-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000102865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.847{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49474-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000102864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.829{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49473-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000102863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.829{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49473-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 23542300x8000000000000000102862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.642{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FF9D3109D0A3063978050686B4E340,SHA256=BF686E0436F74C5538E3354922ABD756BEBB96E030B3F8737C674B75B810F7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080748Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:02.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B04D10F9FD0A0313558B25E3FC1F47,SHA256=07E201DF475A390FDCC4550BCB667D9626599DFB3B3AB4699E2A6FDC00CA4A66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.548{58E9C193-B176-615A-B101-00000000FC01}60684292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B176-615A-B101-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B176-615A-B101-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B176-615A-B101-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.346{58E9C193-B176-615A-B101-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B177-615A-B301-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B177-615A-B301-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B177-615A-B301-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.862{58E9C193-B177-615A-B301-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.642{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09017D2DEC6D6A5A628F4F9E21A5965,SHA256=649ABA8C4143CBF8DC469C76A594B5A23FAACA419357565E4855F6D5F7AC9AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080749Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:03.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4E5DCF3DBC6D3BD6380FDED376501B,SHA256=258FE46B8BB47D1EA35823E92D09AD6B95BAE6C066A0047E3B960ADF4C9F1E07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.502{58E9C193-B177-615A-B201-00000000FC01}71167108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.345{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36450B96DCADFF6680508DB0F1B18B7E,SHA256=D13470ACEEE4241B6D4B45D52E600AEC319AD14E36FA7E2CB608354D40092BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B177-615A-B201-00000000FC01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B177-615A-B201-00000000FC01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B177-615A-B201-00000000FC01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-B177-615A-B201-00000000FC01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:04.892{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D289EF9729E2C6028BC86235174942C5,SHA256=16F14BECC9C7D8FB09EA63648D9C91739FDBF5AA739D9819B269A1114B5A0C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:04.658{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE277C178F565C65C30DBFE594F3813,SHA256=BB8FC2ED76070908405C802FCAAF7FB4ACBEE1A9DFD896669485EFEB6D7E5508,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080751Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:02.657{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49981-false10.0.1.12-8000- 23542300x800000000000000080750Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:04.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED883BF1158E0E0BACC067735AADDFA3,SHA256=B9D193DFB59B971BF64F1E5323C6DB962785C2DCD874EF6293624BED27C01A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:04.081{58E9C193-B177-615A-B301-00000000FC01}22805268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.673{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C305A85378E8A8C27022BF12683079C4,SHA256=2E22E8FE0D2C3130CA87CAFB5B80B0C90D1465C14D04686947B0AAE884F22B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080752Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:05.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4863DB258DAD15E74774008FD25637,SHA256=E73318419C417DE599C660A8DF9565A17EA58A37A63FD2E918620A16B88D16C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B179-615A-B401-00000000FC01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B179-615A-B401-00000000FC01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B179-615A-B401-00000000FC01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.393{58E9C193-B179-615A-B401-00000000FC01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:06.689{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D998480801001F2ECE1EE255C500942,SHA256=956DCA4A1A262DB34715740C3A4BA1F35D21AFECA4268AD5EB3B9C5FCEFA8724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080753Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:06.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D878C7761F5B06A659FBFDE8196986,SHA256=9F4AE39F79D7A2F514F1D77D0BA15383C05814C9CC3CEAF2EE46AAD3D3CA1FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:06.392{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=635DD93B675FEE5EF8F0CA21EAC0E50F,SHA256=D9F745959D4ADE4894F72559DFD0C56335C3BF432D613A0A8EAC0EC1864FEC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:07.689{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF29FDF09CFE74154D99B11EEB96AE8,SHA256=21E0318A0B968B03E25EF18F4A2510B7AABEA20269C3513DDBCBAF884BC7BE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080754Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:07.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F460E94999AAC00EFEEB1774196454B4,SHA256=8B6941CCE30FA42B8B97AF7DD9C913994222307ABD604E841831EFCD3EB425A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:07.281{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49477-false10.0.1.12-8000- 23542300x8000000000000000102904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:08.689{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323BC99AD5F9CC6EF16A1D7C5D448DC2,SHA256=4C8CF9B7598F659EE824AAAD33A74A8E9295077A1AC3BF6FDC97D95ECE342D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080755Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:08.199{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CCC0FE1F5EB12C526C8DDE069A99C3,SHA256=25EF51A4B690847AF2BA143B5756353724687BD0F64255BBFED179B32894D6F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:09.689{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F7EC6EEC7EE5C0DA039EA9ABCA1641,SHA256=AFE4974C1F40760D7D004516DE8CC47695BC9F10846EC895DE0E7903C1827931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080756Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:09.199{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581C6AE16F8CD89AF43DCAAA9CDD5CAA,SHA256=D14A376AFDC693548FD882CAB6A02DF0F8BC17CE5F20AB057FC94BC26635DC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:10.705{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5730729C29D28DEE40BCB520BF9C9442,SHA256=9A97BA38B99872E27F3F58E64943526D17BEEC21A7FF3DFE37C58125AE2448E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080758Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:08.579{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49982-false10.0.1.12-8000- 23542300x800000000000000080757Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:10.434{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770DC7DC873C4C49B3422235EBCED9D6,SHA256=ED24B214FD7696222D4538CFCA104D85225130D9549C4E9C48BB277FFA3B0560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:11.705{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3871955A683BFADE043CAD71A0213512,SHA256=374AEC0642C066CECBE85ECF75F11ACA23B15EC88BB03C8A9B8B612360CF2636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080759Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:11.496{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BC98538912FE8742211765ADB8FF54,SHA256=BEFE50830B32E53AB5F555E079DAD9B94885BAEA3B141F1F08A023CD4483B231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:12.751{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5038C4C0CD5977A37B4DB00354ECDC,SHA256=0185DD87DACCCC99C7D794FA4DEA21D85B9197C0B03FD7F1613831ED3BC77083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080760Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:12.621{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53949A8B3F70A770579A5A8B8BC7BDFD,SHA256=E4A6CF3D3D6296A0484C49FD5DAE16DC9282FDAC6FC023D03895DAC4C3CCF2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:13.783{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14BEF0CA4FE166B68E0768561DAB55F,SHA256=328E282772B0074B888858BBD4983EA54595F7CE2B0EAF37DDA813DE9C45DC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080761Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:13.621{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97E880E8DC2F3711B31401F4E16112D,SHA256=95A3F112157394BBE34A63D61A68B79E14BFEF85262E965A29A2696525DD1101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:14.845{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E492451621354060BF239A573B38C38,SHA256=2A6609DCCC92647E3D84E092C6BB56B8FA57B9369D587E4E994AE90076D66A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080762Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:14.762{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AB2A41C74C47C03E21F02476D93462,SHA256=7B9DFE73322D4026C6C5F86F1A6E918052BF04998C246DC9075DA02727F61B7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:12.468{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49478-false10.0.1.12-8000- 23542300x8000000000000000102913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:15.947{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3AE907C66E4401347FD369C7A4E84B,SHA256=C9721F4CEF98BEF1652F07664B5D7919190341C32A60947BF0C2B8065EB5D30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080763Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:15.770{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1822F7DDA280FFB19C87FDD8386941C6,SHA256=0AABDC54E8DB3136B7D43F57596970B8228DB3466503815697C55BFC66462C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080765Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:16.770{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC7D9874B38A14B077E0606A588CB57,SHA256=C693CAB16EE22781FF6ECC279AC8ADA30456227442F8217E67E233410C69837C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:16.964{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA2E40C5658828C95B8A0C671A24E36,SHA256=87F31C1F637F3B95D6D1C8645257EF473B3E1BA8B15A34915298AD99345C12C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:16.139{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-019MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080764Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:13.579{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49983-false10.0.1.12-8000- 23542300x8000000000000000102917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:17.968{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E453D39B0B63FD6E43FB05219927AB48,SHA256=1945CF6AC99A7713AD6AE97854759C4E6857F5E6B65388220517F8FAE654821D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080766Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:17.773{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2ADA09512160F2C0F325C91F75AD54,SHA256=5F6EB4D2EDA01D625BA73A0F3B80368F14D899037B9D70AE72FB18948092B6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:17.138{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:18.968{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DBB8182DA2C0366BEC5BD521AA1D8,SHA256=079DA38FD130DDB685F805A349E59F94FA9924613A8FD45F2F5BB8C8E51AA7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080768Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:18.958{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FD29EEB072DF679FC759E02D136165FA,SHA256=B27072B47776E65C0F87EC1213BDDEB8B412E33FCCD1955C07830B900D8FA1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080767Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:18.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DE7A5A90C4762B23F38B290B88344D,SHA256=15EDFE0B35826A2B8BD7AE521A028E5841124FE02EF6E5E329FB2D628256968D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080769Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:19.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF055EFC73BC5617197F75984726BD8B,SHA256=7CE50F1BD7BBC8956FE77E37C2CEE064D51BD89AE983B57EDE844562F6DC2289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:19.968{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E844553298E7939E63CA1DBDBA494C,SHA256=A5D71F089DF49C3B07D46C2294FD647E5510CCE115B0FBEC5B5BDAECB7943B3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:17.493{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49479-false10.0.1.12-8000- 23542300x800000000000000080770Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:20.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7BCD9206B1CA6759CEFEEFECB157BF,SHA256=81BBC94CFACB7253305CC17F0607369DA1924316F646C70B66E88E1D85DAAF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080772Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:21.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20080EB7B1FACC7BD9AF3BF32588BA91,SHA256=98A096063C70FC242D0682DC843141DA4E7FBC9EFDBF98EBA20F29C263695D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080771Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:18.713{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49984-false10.0.1.12-8000- 23542300x8000000000000000102921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:20.999{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A483CC87311B22057FB34F6E472533,SHA256=E37C96413EFA23591DCD4DDBD12FF2C581CB2EDCA820A1CA301DF5E796ED16AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080773Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:22.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619BE1270214C281E7D2A7463FDA0681,SHA256=A49FFA4B138B5D2877A5DA2999BFD25A688E60755BE96670EF9CC9B18AEEC2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:21.999{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1170B641D0AB19FD82FDB744696A3BD7,SHA256=D7BF04BD2B1FDD69D4B25EFCEA3B6B0F06D399A265F0A57CA177EB8DEF73C575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080774Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:23.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F929827ABB817E102EB2BD0A9D1E90,SHA256=EAD392D1C0A2905138E614F8B9781ADFFBAC5E6B8D72D69B9DD8D6BAE1E54EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:23.048{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB94E83F00BE73549F6E2077963B2A59,SHA256=01F329E5E7CE116EA917B6002733002B7030F1CA95C66A6A354A2B13154E7360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080775Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:24.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D521C7214F9014828B0B53958AF4CE32,SHA256=ED2D00A8CAF08DCBEFC9C8A3201C9792A5B3FADBC1920829F7AB5FEB2DB7430F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:23.310{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49480-false10.0.1.12-8000- 23542300x8000000000000000102924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:24.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2BB4B7C0E20672D1631AA26C7563D4,SHA256=1529738B5735E9F33553A982BAA3F1D53FB56EB3FB768AD8474437E822605007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080776Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:25.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF50384D21879FE0E1558ADDB7935C83,SHA256=99D2461C764F06F6EFE12A13BB6F242C34E32FA11DABC06C87A4C6AEE656B44D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0013f39a) 13241300x8000000000000000102934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8eb-0xb0d36255) 13241300x8000000000000000102933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0x1297ca55) 13241300x8000000000000000102932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fc-0x745c3255) 13241300x8000000000000000102931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0013f39a) 13241300x8000000000000000102929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8eb-0xb0d36255) 13241300x8000000000000000102928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0x1297ca55) 13241300x8000000000000000102927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fc-0x745c3255) 23542300x8000000000000000102926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:25.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9223B83061F5C102FD144BA825F9364B,SHA256=87EFBDA9860E19308A6C921AEC0C1FF2337E0B2BB068511E5D9AF4CC327CE329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080778Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:26.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8101ECA9171121E0F9717757084840,SHA256=A1EAE55B0CAF3D931B5E04291101EECBEFEF12305FC9EC615F1B50221D88DD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:26.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06C1A2E05D0DE5F9AA811AA3F15B4D2,SHA256=0F0CBBF12028C90688E92608FA57D497DF7794BCC2B2A7E1A6AF80C8A34C51FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080777Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:23.791{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49985-false10.0.1.12-8000- 23542300x800000000000000080779Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:27.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB2F136C82874FBF8570A104E287523,SHA256=E773E6311E1876B25DB712ED5C6335D9638220F0510BA929023A56A6A33F4286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:27.140{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F276AF2B19D18103ACA10D24999755E,SHA256=F23C916318FD5AE6C4633C78E83FF5BB50791E03030E0ADD27EE6918A25DC762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080780Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:28.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD8B8C3E6C06740871AAF834FD02183,SHA256=EF72F31F6ABE5891313124BBD2261310BA4908FFEB1AA0BC912F42756EF55623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:28.156{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA54314C09C8FB2FCD2F6E41B815C8CE,SHA256=F86F5A414C776437EF52999B703335229F954DCCE27BDAC4485C8322E77BD433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080782Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:29.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B127A5C3635FB79B8D56CE726501E887,SHA256=59233547E570FF3D23654E7BE070B892FC457A305944489D5A4660BC58142E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:29.171{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8CA3A400B2A21034470F456BB1661C,SHA256=11526BB0C3664D8A7B93AF1068657D8E899396C9436F20EB62B5B1B6848D5597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080781Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:29.567{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080783Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:30.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EBC640240ECB9AA8B4A1B887CDBD12,SHA256=98A93197EBCF7B5D58AF8086CE3CBDA893139FE2B6983821AC84514844BB7BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:30.187{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C692B5E8349396153F7C131B6C53F2CD,SHA256=8E8AD40B526019DE3E88DDDD39AA938700B479D461DF3F6D66E247764E09C826,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080798Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:29.119{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49986-false10.0.1.12-8089- 23542300x800000000000000080797Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF1DFF4344D907BEDA48F3A46F47B0E,SHA256=F3ED3EC9AF504263783FBA1CDF26EC641DE01E582584077504B1D21924E61F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.187{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7671EB7494C3C929DE0F9B17A4DEE3BF,SHA256=5FEC20CEC3DA0D5FD6F6ED19450EBE9616A214A6BCE202F733C83DDF9A857278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080796Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B193-615A-2D01-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080795Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080794Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080793Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080792Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080791Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080790Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080789Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080788Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080787Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080786Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B193-615A-2D01-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080785Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B193-615A-2D01-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080784Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-B193-615A-2D01-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:29.295{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49481-false10.0.1.12-8000- 354300x800000000000000080816Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:29.666{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49987-false10.0.1.12-8000- 23542300x800000000000000080815Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E75A930FA80155ED835110EC449F76,SHA256=140AE2F7F4BF28AB29B6ED579C1190DD23C3EC49C342B2B3C883CDA90ED49A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:32.218{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1504E2DB5E8019DBB2C33462091FDCEC,SHA256=C3FC87432660E698B45E5F9D317E23F6A70D4A5C7A354EE598B2BF3115F9D051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080814Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA0187D64D2BE62919C5BEF39F898001,SHA256=EDC175B50E7A37DCFF485973FA68BD2C9A74EE50502797390BCD7EFCEA38F00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080813Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C784399AE2EA0A942856DB3025253E,SHA256=66D770CB9D134DF2F6793933EFADF538671239FBCFA00F4900C3E123363D5B82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080812Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.255{2FDD8D40-B194-615A-2E01-00000000FD01}12441180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080811Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B194-615A-2E01-00000000FD01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080810Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080809Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080808Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080807Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080806Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080805Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080804Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080803Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080802Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080801Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B194-615A-2E01-00000000FD01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080800Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B194-615A-2E01-00000000FD01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080799Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.115{2FDD8D40-B194-615A-2E01-00000000FD01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:32.015{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9D6A0E6DBE2EA9CEF28DB4DFC0F559AC,SHA256=F68A7A53A9D40FD9387B7B8A45E3A5536FD660A9840AA3658AF7C1374084B2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080830Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DC061DD49FBDB744D5EA7F217C9197,SHA256=AFE22EE2C310274B5E81344B730BD3F722A9F37E17463EE783B2C154935146D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:33.234{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DADAAC98241F70EFB12A72F11FE5FD2,SHA256=730780C76F39918919263754601DAFE8F685CDEAA7DF8E0EE790BD2F8BA16395,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080829Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B195-615A-2F01-00000000FD01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080828Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080827Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080826Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080825Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080824Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080823Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080822Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080821Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080820Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080819Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B195-615A-2F01-00000000FD01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080818Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B195-615A-2F01-00000000FD01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080817Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.146{2FDD8D40-B195-615A-2F01-00000000FD01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000080846Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.926{2FDD8D40-B196-615A-3001-00000000FD01}840948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080845Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5F19B09925EC6118F448DBB1D05B3A,SHA256=E2FA92D7B4D7E3D547F01945CC3A420B4BBBA3C9A38268D901FCA6105FBA8A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:34.249{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284AAB640218FF69F8A0B868BBDDAE2C,SHA256=C6F1AB04CD6A7D107E9DA0B1A6BBB7C13001AE6B6950A6316A36C347C155C514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080844Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B196-615A-3001-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080843Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080842Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080841Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080840Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080839Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080838Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080837Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080836Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080835Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080834Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B196-615A-3001-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080833Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B196-615A-3001-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080832Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.740{2FDD8D40-B196-615A-3001-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080831Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA0187D64D2BE62919C5BEF39F898001,SHA256=EDC175B50E7A37DCFF485973FA68BD2C9A74EE50502797390BCD7EFCEA38F00B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.878{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local52482-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000102950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.878{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local52482- 354300x8000000000000000102949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.878{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98d0:cb7e:b94:ffff-52482-truea00:10e:0:0:0:0:0:0win-dc-639.attackrange.local53domain 354300x8000000000000000102948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.878{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59994- 354300x8000000000000000102947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.877{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57971-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domain 10341000x800000000000000080862Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.930{2FDD8D40-B197-615A-3101-00000000FD01}39082304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080861Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.821{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AB8D3F1A9B9DCF12175928D6C4765F,SHA256=35B4A05B5E1F306A80BD354EAB53E67698674A477972426261EB5545B1D717D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:35.265{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C605E8E9D9626F1C8A4BE0C8FBBD97,SHA256=2C81B90D5062DC7283D375115AAC4423D0667DD794939A9D274700782F07E690,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080860Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B197-615A-3101-00000000FD01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080859Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080858Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080857Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080856Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080855Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080854Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080853Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080852Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080851Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B197-615A-3101-00000000FD01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080850Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080849Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B197-615A-3101-00000000FD01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080848Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.791{2FDD8D40-B197-615A-3101-00000000FD01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080847Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.774{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68603EAE7B48B5512CAA45694F076203,SHA256=F149CC0527088C8052F5C0F99FFF0189425BB8871E4B67082EEE93E08CD754BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080879Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.760{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49988-false10.0.1.12-8000- 23542300x800000000000000080878Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.821{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98E98B2611B157247A7651D4C344D3D,SHA256=EA05AD53289AAC44247B0B8DB18534F383BB2F46948236CE4728E3F276630F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:36.279{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A5DBB7DDEE7C81F11BC6A9E7D4BEA3,SHA256=1F16805BF9CDD3EE817D2748A32BEA521BE547B9EF595A0816C5B3682FA5F7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080877Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.790{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=727BB0445510CEFADEC5EB9061AFC6BB,SHA256=AEA025DB20C7F04244C7F47329C2F7099EEC040018ED14C8AF45C5C94669F4A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080876Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.727{2FDD8D40-B198-615A-3201-00000000FD01}10601456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080875Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B198-615A-3201-00000000FD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080874Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080873Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080872Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080871Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080870Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080869Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080868Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080867Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080866Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080865Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B198-615A-3201-00000000FD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080864Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B198-615A-3201-00000000FD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080863Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.572{2FDD8D40-B198-615A-3201-00000000FD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:34.342{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49482-false10.0.1.12-8000- 13241300x8000000000000000102954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:36.076{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0x18f20f7e) 23542300x800000000000000080880Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:37.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BFC4D4A8E4225DCE4365C0793AC87D,SHA256=AE3F5FEB3E77B78C3FE6178387F26BDF99A58739BD13DD591A266DA56815D506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:37.295{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DA7C62E891308E0E611CBADAF1F5B8,SHA256=BD420060DF559ED62B38D28E4A0667EFAF09FDB08E095D79D3E02994FD1D3818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080881Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:38.852{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D0D9B14993455B851BE5D82A64F9ED,SHA256=512C554401699266C8E5F692319F558B7A0AE81B6804D32E417C43CBB47FE12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:38.310{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7B61BF01E7E96FF3428B99ABEA96AD,SHA256=41B02DBFA3A234229D80016F602781741E792C0BE6346A18B4C6B579ACD683E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080882Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:39.852{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5380B8E1593C192E2E2A5F230F2BAA,SHA256=11A81AB21726CD7EC50BA01D3499979CDC7E0EEE4F6BB49537A276F7865AC247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:39.342{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534B6DF5CA1017B7016D99C10601910D,SHA256=F32EA6E049470DE652271146CD6E4A6C44D70B1C7661EC40CA6446DC0ECB355B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080884Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:40.853{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B004CAE66AD14D5C428098D521BDB2,SHA256=A493FA1889540A6848D68A4A8611272B6E8A921520453A846225A4D930933751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:40.342{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D6F769D54D260A6107C7F1360AED97,SHA256=F3BCBD3894010FF92AB3AA570F995BA749B8EFF40C31C249C475953B7943DDE0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000080883Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:47:40.196{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0x1b66bdb6) 23542300x800000000000000080885Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:41.884{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD68E343CACD3E234C08C7BC13EE38D2,SHA256=91B55B7A4D4D83AA458D82E4CBA650ECE6FEF626020399D34B76C15C8BB19853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:41.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E763C6189AE05388455DEC1C70CB61FD,SHA256=96C3BBCEF7A79F29AD8EF26D95081057C21161B624E934303FB93CBCF6BF12BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:39.356{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49483-false10.0.1.12-8000- 23542300x800000000000000080886Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:42.947{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DA4A98ECC74D39D07AEF1F085053B5,SHA256=5281AC12278D269E47D3F1926359BF6F30F145D273679BD9C19E5C304059D7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:42.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202725D4F39A6A7B7C85C609F90C23DE,SHA256=7AD917DB8DBCC88A848133E47E625C27079C9B7A23B3AFC72A5EAC2E856593A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:43.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6771D75E56B1BA84E5455360D24D558B,SHA256=CEFAD53F6B5B910F8B24C4EB58098A4D8B0B78CBA832154C81CD67E8A5A52E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080887Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:40.670{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49989-false10.0.1.12-8000- 23542300x8000000000000000102965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:44.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01590C0A9645C9BB6A7850CC20943AF3,SHA256=02636B6196469F18B325015ECF02904E81DA440DE2E203A4C88A2833F536D310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080888Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:44.181{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705B15FF6566417FE323142518EA9406,SHA256=2E4379A4A03FBA0681C84532942ABD4CC82B0E3F505867D6D9C062589853BDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:45.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8783E1D257183F841C32042C3A2D31D5,SHA256=B901724DF929B420FF7A3696647AEC9F58F90F63BBA63319A0643EB639B5D596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080889Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:45.212{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0FEE99E8F6AF2D5B7C60D5107A2476,SHA256=780406100BF16A70A14525E1553481459108C77A0A6701A9205E2A282A22D1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:46.388{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE70C217983DE9F2A7EC3B1C0F1D91E,SHA256=98DB3E2B6748F0560744851BDB8B01122217256849407CD1C8A4BDC57C62A7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080890Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:46.290{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA4795E7408B9B2624EAB58051D4715,SHA256=06E5521E96D59CBF4FAEC793E6A20DCC80F0A31CC4CCFB04A42F549ACD7B3CA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:44.387{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49484-false10.0.1.12-8000- 23542300x8000000000000000102969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:47.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0809041CF36646F39967E55A4061D43E,SHA256=89C78EE0AC37D4228569FFDFB571148F5EE29737B528A8DBCED2B1C94DBFB6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080891Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:47.353{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA851C8B8251A078964A736DA1962ED,SHA256=6A959501D7A201D63E90E5B37B5ED12F7D2094C15470BB73E5212D6FDCC8423C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080893Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:46.671{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49990-false10.0.1.12-8000- 23542300x800000000000000080892Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:48.384{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AFE1594013F5207307E17F0EDC1081,SHA256=A3AE31FC96C05EA9357CFA601B7DE15772EC132DBF887D235DC35ADBA2E7C64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:48.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188401B455B74A742890B6A45B949A84,SHA256=61946D0F7510D397B9F806D75D49EDED54E0C04984E389C4748EED3ABA717748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080894Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:49.493{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4092741713324187BACDF3CF10591034,SHA256=F4AC2693FA1C7201BE589CC38A7678BD0924779AC2CA3AAF2FCFC0D911B3D00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:49.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC3B5BCE271128734C3E0FEA7B61CEA,SHA256=EA149508DEE89B526BB32FA8981B640F38FD3F6CCA1B7782CF6C16F689A0B18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080895Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:50.650{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABA7EAC1CA02E4EBE710B7516648ACA,SHA256=00228CA26F83E609B98E3C0FBBA02B7A9AD683D76A413BD49A79D762E1300779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:50.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144E1DD74D89268FA5243DFE73A97B8A,SHA256=3EFF26B8CFAD04A51931805D53E15E10A9CF41014F862529CA389A225BC08005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080896Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:51.651{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26309968B9F295B84D00D478400CEBB,SHA256=AD4CD57C838CF008ACC28CC3C5E41EF183C749DF7447296B1DA020554A4F043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:51.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75865F53790410CDD31C8DDD5F8D8670,SHA256=46487BBCC86C4465404B1E41A4958AD7102F35818D2ED3101CBC281DE662666E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:52.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8F90802B88D33648CE76A65DFA92F5,SHA256=7646B1009A8D2B1D66D6BFE8ACE033A567E2545F5340AE6C140B74EAC6444C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080898Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:52.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC5480F72132D81D6B829396F941BC3,SHA256=805996C3CCEF93032FC079253667B8D3263219928B347A322AE924371B6D3E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080897Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:52.013{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-020MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:50.341{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49485-false10.0.1.12-8000- 13241300x8000000000000000102974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:52.076{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0x227b6f49) 23542300x800000000000000080900Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:53.869{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1094499977B8C76090A8020CC91B58C4,SHA256=963A3195B804A45D1FC21EFA91E7D30FEB2FF77A86EB2B2A2D1FFED02888B4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:53.466{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA987C96A9DEFA00D974E6FDBB010BA1,SHA256=7FD413FDD74589E309CEE138A858251A7914D811D08B7FEB14DA4A0ECEDF95A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080899Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:53.026{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080901Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:54.869{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CA1CE825D90BC4950374050B894795,SHA256=95AE0FE2C21AEA98732A8A9DE31BACA322E3A88549D8981F9BDBF103283671CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:54.482{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970BB57362107E90AB98BD9C4AF09E6B,SHA256=FC073F63AEA95B7581803CB105C2CA0F680009B02122C625840819BF97D2595B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080903Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:55.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ED74834EEF5ADDDE80BABAAC9C560A,SHA256=D79823FD40BB392EFDBDE1CA1B82E1171688F82479F33D6A55EA79CAF7D40088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:55.978{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:55.513{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5381EAB9F53375F393573F95C65B4260,SHA256=C35D54C9C6A98D60EF64E4A0D4152BE48170CDBA314829FB680FF4738C41F1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080902Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:52.669{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49991-false10.0.1.12-8000- 23542300x8000000000000000102982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:56.760{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:56.541{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8B0E01CAFC9D6575B6DBC94C7ED769,SHA256=7F443818C2030409C4E70FA506EF1A1A4C3B75148E37EF35177F6C814808435D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080904Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:56.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F557A691128E167D8F6A2CCE8CA047,SHA256=6B002309C87E6EAF24615AEE21E865D457961A86E8DF71BCD6B7749FF0B021ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080905Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:57.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3ED044DD4AF35060EA078111BB1A80,SHA256=4D3587B9A2D34CBE0A5F339F190093087A907959E83ADA4A82BE26CBD0FF4DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:57.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FD6829E9BA4CCAF9E79E0BAA1F2D5A,SHA256=B774015AEE3B4603F3407C38421979C31F13147EF18A7E2B2A6021834A1160FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080906Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:58.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F7BA4C7297BFB45502D76C70DEDDE0,SHA256=297FE218D7A85F4E33A5B49AFCD5AE83F2BA8D79AFE1C80AE5BEC373ACF8E921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1AE-615A-B501-00000000FC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B1AE-615A-B501-00000000FC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1AE-615A-B501-00000000FC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.651{58E9C193-B1AE-615A-B501-00000000FC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1809FA2F0208A57F4D25230431CF42,SHA256=1B9C1F7FE813FA7B7EFE502490FAAC89F0F0FEA674A3D3D0616FEA1556EF7E1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:56.978{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49487-false10.0.1.12-8089- 354300x8000000000000000102984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:56.384{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49486-false10.0.1.12-8000- 23542300x800000000000000080920Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C65F2396B67D8CE778625CDB7B99C6,SHA256=3093DF99F1C12F32396A028136BC118D53413997F83DB2CA3A5406630CA30971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.807{58E9C193-B1AF-615A-B601-00000000FC01}63286848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1AF-615A-B601-00000000FC01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1AF-615A-B601-00000000FC01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1AF-615A-B601-00000000FC01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.604{58E9C193-B1AF-615A-B601-00000000FC01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153E8A5DCBB75987F5E9EF4DC26FE3A8,SHA256=658BCACEFE384106DF0CADEF52177848F7BBB22D04E7C2F6DC459E1451266083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080919Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1AF-615A-3301-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080918Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080917Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080916Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080915Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080914Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080913Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080912Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080911Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080910Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080909Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B1AF-615A-3301-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080908Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1AF-615A-3301-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080907Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.085{2FDD8D40-B1AF-615A-3301-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.338{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-AE66-615A-BC00-00000000FC01}4464C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000102998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.228{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49488-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000102997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.228{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49488-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000102996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.041{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305AA7B379167F136DD5294ED97729F9,SHA256=EC7787A73A4BF303D0B7BE50711AEFF27B308D0B844262A8CBBC59194317B233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.041{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FF5EB65D0E99EBD3CECD566686C4FC6,SHA256=E1FA8603682047EF9F14F15F57C2342AFEEFCEB7E4566394880588E0B76DEDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080924Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:00.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCF32890832EC849872261F6F03CAF8,SHA256=BB17B9F351C6E6B23B6EAC423F1098BC39AD9E84093FF7CAB1330FEEF36D186A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.635{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305AA7B379167F136DD5294ED97729F9,SHA256=EC7787A73A4BF303D0B7BE50711AEFF27B308D0B844262A8CBBC59194317B233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1193BFCD42D8BB28F92408609CB40FF9,SHA256=D54300B3EE4E89383C8F0B7B937ACE8D89A0F01EA7892ECE849E24D9788B6F0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080923Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:57.745{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49992-false10.0.1.12-8000- 23542300x800000000000000080922Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:00.209{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D203D84B6327833ACAC80E971E510B05,SHA256=E7219B9305A68E7E24D54E7CEFDD93AF7E2DB8FD85430E0169FE09A9E21BB9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080921Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:00.209{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D62178FAE56BDDA1589987A752027F4,SHA256=DEEE4E91784DE805132AF07436949B7A0AF47B8883C0EB598631C88E5E4CB250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B0-615A-B701-00000000FC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B1B0-615A-B701-00000000FC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B0-615A-B701-00000000FC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.339{58E9C193-B1B0-615A-B701-00000000FC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080925Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:01.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29D9ADCD804A0915D027BEC77BB3818,SHA256=5DD9C698820461D0A0F21C8EEAB666FB4FC2B4C00986E503887768FDD0CA7546,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:01.869{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:01.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622C7731377883955940402E8119B9C4,SHA256=65182BB992C89AD11D8956ED048435F61BF13E5C4E964478FD232AB0DBD1372E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080926Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:02.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603D2D2CC06D54CDB5CA3737A836C7C3,SHA256=EB52E6235566F40A94DDC99928B7DB3407F5B88E9FCC2FD7FC1FB89A2106D32D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.588{58E9C193-B1B2-615A-B801-00000000FC01}45806460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595F12F25401EF35D485D4DF533F626F,SHA256=1939F464ACA4F826BEEB0F1B2ED7C8E56CA2C329BCC610D5C637FE95619AE6C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B2-615A-B801-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1B2-615A-B801-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B2-615A-B801-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.354{58E9C193-B1B2-615A-B801-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080927Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:03.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8216F7C367DE1C516A7EE5508D0C918F,SHA256=8BA04822C51429C292D101DC2DDB54D72F87D3A8DC23C1D8A3DDD51A00A5FBBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B3-615A-BA01-00000000FC01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B1B3-615A-BA01-00000000FC01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B3-615A-BA01-00000000FC01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-B1B3-615A-BA01-00000000FC01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E11FF8399D25DE6F447EC5F26D94B86,SHA256=6405A6B057BDDC916B372265ACEF8885C3A4B55FED8ED4B081C1CF28BB7F7DFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.447{58E9C193-B1B3-615A-B901-00000000FC01}47364816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.369{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0A7A0DAA0042A98146768CA1FEC7A48,SHA256=40FF53AC2F4529D20E93231C63097A1F808A3D7A049701BB7A27E36CFB783E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B3-615A-B901-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B1B3-615A-B901-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B3-615A-B901-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-B1B3-615A-B901-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080929Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:04.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3B5978EA7C5E67EA674038B5B7246B,SHA256=BA36D9B06BE7928B11976AE9913317929459654B63032E394A96DA6BDDE4AB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:04.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B2C1F0D2DC5FF93064201CDFCA7358,SHA256=B0D6C4643890BEAB102B039AD5BF67CBEE08C0223FA80808EE1A52E45D3405C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080928Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:02.792{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49993-false10.0.1.12-8000- 354300x8000000000000000103052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.306{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49489-false10.0.1.12-8000- 10341000x8000000000000000103051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:04.166{58E9C193-B1B3-615A-BA01-00000000FC01}61722424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080930Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:05.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46D6798ECC0C4BA4C1990DCC18326D4,SHA256=91BD4652786391E50C890803AA8D6D9C0B21098825A761E8C058CD8525CC202E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EB7362F67385003A82652E2EBE6CEE,SHA256=36DBFD49B52CD42B56FD79101CE383776B66EC2B33FF88AD0A30C1C03D70F85D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B5-615A-BB01-00000000FC01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B1B5-615A-BB01-00000000FC01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B5-615A-BB01-00000000FC01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.417{58E9C193-B1B5-615A-BB01-00000000FC01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F2874D606DDD3BA95BFC2F105E6630,SHA256=1702679C64D7879B58A588D56C795257C6D729B6102FDFC6CFBDE922894B25B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080931Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:06.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2204569C6157BC61293C9712323398C9,SHA256=F3FAE5DF8E8BFB464990A7F436BF58DBA279F5D9797102697015A4B03882EDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:06.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFB38E5149696D2311110210C16E853,SHA256=775719AEF3F80CD0B99EA21376348B3B7BD19DFA41E052509E19FE72FF210159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:06.416{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F9FB0FCF0411F2AEA45F6377C4C2126,SHA256=359AB5DA1C2337DB1BDD437F5E7012211B035563AEF73F43580D65567174706A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080932Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:07.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64F2348C918CE18BE55170A9ABCE703,SHA256=A2589BD8DB2699B40D4FE358A86086734A36A6FF346F9202536E5DA284FE8911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:07.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BB83D83C710B6C2AC39E3EE960FEA6,SHA256=613A244162DDBBF24AFAC045E0B7F88C0EA8C69F9BDD5D73E3B8ADDA3ED10B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080933Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:08.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64C1D6A9F197C5AEF9D2ECF39C7A2C0,SHA256=51F081E6BD92AD89D5B32B6BBB11DEB7C4A3DD974A8815D6EA11A1442E185C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:08.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4018D33ABC6B8B3EE074595DE731FF54,SHA256=80514004B43B1A79EE94743678BD1B25ADEB35A3C3F842430EA893F4C8A93344,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:07.431{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49490-false10.0.1.12-8000- 23542300x800000000000000080935Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:09.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E773C1BFD7A7DF401E5E3BB90E1FA8,SHA256=C5511F932A5EA9698F1C24FDB03CA2D5544545835CBD0F2B4281CF2F509224DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:09.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB1454E19FAC2F3C9AF4093C4B23389,SHA256=A68D7F974A5D1B38BD8EAD16C70E20CAEFF3B2BE5D46BA40DFD893A9497764BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080934Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:07.808{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49994-false10.0.1.12-8000- 23542300x800000000000000080936Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:10.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C602368C65FB5EEE9AF41FB5B11262B,SHA256=D1DDD053BB009967A2F139ED7C4799648BBFBD64D801860501B2D4B02D74B13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:10.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6683E9B0C345FD29B2782BC2B87F87,SHA256=6F1215DEA41C53F1EF13E429FD68A9F1171F4135D1A9FC2E65BC899E43803159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080937Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:11.896{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68D78E1CE7EB341673E1C633E4ED86B,SHA256=D7FBE4DFBF53D9C2165A084637655B9C68224721DF200C98FA8AB7BC2049FE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:11.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088A2F487A0DEC9BB96BC39A4CE5AA4F,SHA256=6B940BAD0060F539E86B707DAC8FF95740E5FFAD475E4F95782982B0336D6D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080938Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:12.896{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E767915FBFF96B1C0AED995E6CD4812D,SHA256=6FE131A2074BC102014374E75CAD3C8747667B355B1A5BC504F4BECEA85043DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:12.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309EDF4A4868DE3DA2A845B172962BA,SHA256=D1B6201CF0B5245010BC6C04CCAB360B521E9FAAE77899CDD1C834262FEB8462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080939Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:13.896{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF227787DB7E7756B2A315747084F02A,SHA256=4363354B3690677F2BEEB752661EE6D39591DBF422529160369CDFE47AD199E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3CE0FE0E0C2443A6EB23217EBECBDF,SHA256=F849978D708EEE62D5857FA90EBE6094D8623D9E820092B3877A4259F96564A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080940Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:14.896{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEA1E97E9409186456A670C21DFFA03,SHA256=56BDC9A09FADF0F6155AF8297621C1146F134DAEB627AF62CA9B74FDEFFB51B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.400{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49491-false10.0.1.12-8000- 23542300x800000000000000080941Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:15.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89756F34E99F51C4F24AFA3875BEA72F,SHA256=9B54A6869AC5B52FD968F0ABAFCD669A34CD702FAB1D5BA99A56BD25DB543F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:15.619{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789E1719E7C876576A1E2F622FCC3D0E,SHA256=A4581DA18F3E92A38B1AD462D164336F9E1C53055516CF322C1C061EC75E7BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:15.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA70933F45EDCB8904C4CB47301E1454,SHA256=5F168FDB4F39BA682817C046F367F7DFDF818F49767414948F650D5456206EFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080943Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:13.761{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49995-false10.0.1.12-8000- 23542300x800000000000000080942Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:16.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A76E0BE6A9968DBA42109E278E723AB,SHA256=EB953DD1E766291ACAABCE8B49B7276793BCCD184E60108D6AE9234E6B5454FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:16.631{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCFDAE24BE0A864FDF25ED8A77970E1,SHA256=77CE148D832169274F62D7C0C2D8AAFCB4A850D4E4A11FFF73810C698C5649C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080944Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:17.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2C8D36405DFE757F0E2A6A5C77E6EA,SHA256=684A330D55A31D1A0119CE40758EC2EE5660E19B771445D875D906930C580B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:17.667{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-020MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:17.666{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6CB5A88CCF96D13C26D1A25AE59285,SHA256=EEEFA90AFC35F2CE4392681C8A182562DD717A4B7E0113B579A888C8C4195401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:18.681{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5B8E1CBCDB378DD28FA6E1E0797C67,SHA256=C76EE3DF2586CABA3B276558777F06A3E7CDEC3ED2A37D8115339932B5E44EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:18.680{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080946Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:18.971{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=96C02600AAB6B2BDE1F0A7FCDE7100A2,SHA256=8846B589A9EC026BA3A6E8B0A0F2FF9B9BEC4F70F3583F13393EDA7E7F3F1178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080945Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:18.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BFF933A04EC99EEBA3C150ED3107AB,SHA256=34C30A7572C54A2476E5D2D5044A810274DE5288D5F154F53FADD0F5347DE188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080947Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:19.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8BF4A26874B7567B353540931B3310,SHA256=E79C7FB0433A86EFBBDB70D473B65ADC9686082438EAB7CF919E3D19AB43D6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:19.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75E84A1B6D5D3A69EB0322A930826ED,SHA256=05330F73E09A61C11EB606A5474238C166795932E0CBE007B05857EE33C94C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080948Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:20.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE0C15EC314EECF60E7E515B7C997A3,SHA256=C5972A1F7BC7E2A47FE32397BD1D1AB0E721D4B149C0F3AE334A3BFAC2E387BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:20.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE83E44857FBC5B1120270160C6AC518,SHA256=2C3906C32819A0BAF523A0A45FB5D852495B281F2C71FB44C91B4086BA4F70C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:19.368{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49492-false10.0.1.12-8000- 23542300x800000000000000080952Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:21.909{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5091D687645BC5A12A79DB169999C8BF,SHA256=C43CCB1B11FED0B6F2EE01A1449D15AF823890B5FDD8ABFB7251A74D25D68963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:21.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB65FBC249C22941A25F45BE64CDA81,SHA256=117FB8B5CF02852B4BB05E3BCB1F624E6BBEBD1FA16C84EE56F25E1D3249EF49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080951Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:21.252{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080950Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:21.252{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080949Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:21.252{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080954Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:22.971{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4D282D355F76366CDD0AF03FBD5988,SHA256=3757A1DE9677048A7380ED4C89FF44F14E6702CFF9D34D24E46598CA0EAC67EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:22.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF546F54ED803DA663BD544A6DE65DE,SHA256=3D9C19C383A9371403F47096E9FD7D966C036A6196B866391199481D4155B5ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080953Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:19.648{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49996-false10.0.1.12-8000- 23542300x8000000000000000103118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:23.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90F74FC07C44B069747A26F9FBD8973,SHA256=34C27662A1108491C5367F88FE8799797C816E581E3904EC1641AD00C7905820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:24.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFA845AECBC906C98C5F7CAA21563E7,SHA256=DD3D085729DCA2D275553F04A6E0F355E7FA88D3D0ED6661565BACAC1A383078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080955Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:24.127{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA91778F6BDE6A0CA7FC01EC30D9451,SHA256=D0F02CF8371E6EDE0769734F02E9574E578292C442937DEB21450D48661159F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:25.780{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9395D9054F0A84FEF96F0D54884A24C,SHA256=0D8FBF44DDE9B5735A330844E149D17D0A4421054C4E54B8B03C0F2EAC603045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080956Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:25.221{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F633AD10C4613933E2DA6D1A2342710,SHA256=BF583ECA76D52CF1782132586C6947064110DF1C135D76502149A2FCE85A6E57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:24.467{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49493-false10.0.1.12-8000- 23542300x8000000000000000103122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:26.811{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8689FBE385A959633E5F9FAD67419AE0,SHA256=EE4F045829CA3DFA07D4C77B283868EBCEBDC6734F83A80DD7DC532CC2D5F620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080957Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:26.409{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F1E10F81F9782E850D06AEBFE95599,SHA256=CC85C2B39D9FB17AC78E51D5124F7D2492F78A2BE8FCF3B8C8A23ACA8DBDE619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:27.811{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3AA2C4F474A7A4C440C908F5761144,SHA256=0A8D8A2051BC2D75D204CF4F668DF375116AF045B3C772465DA5519A0F61F036,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080959Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:24.758{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49997-false10.0.1.12-8000- 23542300x800000000000000080958Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:27.440{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794586C26EC7C30FB4CFCEC842EBE9E9,SHA256=8A588D652CB19900284C6FB3BA0489AF4224F0DE0B10467678353A86EB1299CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:28.811{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0709F0E7418521A229548DE4644B61B2,SHA256=C3B4FA34EADDCA85AE2202DA2D9CCFDFCC5F77D2A90A2C0B26461CC68ABCC695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080960Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:28.471{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78538FDE8AB8D5BAD9DFFB65F551697,SHA256=CC4D7A6D9BB968C33911C81B37F8AF29D145FE8B8C53D71AC8295E4CEEFDB477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:29.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4134D6156E4AD640FB4718DB54279B,SHA256=FF9E6F9FC3A12B62C7039F1ED5C49EF2C94FE300D390437EE8C46EBDCB18F124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080962Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:29.596{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080961Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:29.502{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4ED077BEE4D530029816223204830B7,SHA256=CE06F0296F1F470D4107651EB9E188F27030DC96AD4EB8C0F4F8F3E0C01C5D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:30.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A778353E0E5F0C6A7940120DCD43DB,SHA256=698FC0E2B2C74A50C8D6FD9DF46AC58AA2614F09992B81D9F391EE920A8C0D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080964Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:29.132{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49998-false10.0.1.12-8089- 23542300x800000000000000080963Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:30.643{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F54AF0282260AD29878842C6D30E526,SHA256=F5A88277DD8F5A250F65BDFAE26E10E32CB261CEB5211C2ACB2B8638986B2D27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080991Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1CF-615A-3501-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080990Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080989Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080988Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080987Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080986Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080985Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080984Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080983Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080982Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080981Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B1CF-615A-3501-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080980Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1CF-615A-3501-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080979Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.973{2FDD8D40-B1CF-615A-3501-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080978Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.674{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D8AFECC7D7D1781B307ABF55DACA93,SHA256=B472A49CCF4FB6B8367BBE0BDB66A371C98A49947AD867060C5E2BB1148224E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:31.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F7FEE70193C229818131D510D2B755,SHA256=F4FF5E1F97D4115EA385615C3B45DFDCDE330B96E6B0F580E99869C20A2DA64E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:30.483{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49494-false10.0.1.12-8000- 10341000x800000000000000080977Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1CF-615A-3401-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080976Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080975Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080974Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080973Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080972Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080971Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080970Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080969Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080968Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080967Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B1CF-615A-3401-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080966Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1CF-615A-3401-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080965Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.472{2FDD8D40-B1CF-615A-3401-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080995Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:32.909{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384EBC0BB62FB8B2647B55ED4055B36F,SHA256=4F89A40F1893FC0C0D9E94EDD9AD87E91505137DA3FDB70C6470A4CFF7DD541B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:32.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B513DC8D0F235D3A31537A182362689,SHA256=41A4FDC587EAD7B7281ED9EA02CC890BC351184AABA0161AC0DF61FDFDE9B46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080994Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:32.487{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223210C797BC5A5D9CF1BD1BECFC035C,SHA256=2E83486C3BE5792B5171809289A31B701BAC578DE3F9C0B026CB9D3B2C473EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080993Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:32.487{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D203D84B6327833ACAC80E971E510B05,SHA256=E7219B9305A68E7E24D54E7CEFDD93AF7E2DB8FD85430E0169FE09A9E21BB9CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080992Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:32.127{2FDD8D40-B1CF-615A-3501-00000000FD01}1723348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:32.014{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=99AC9CCC6D5FEEDCFB86CF523BEC4EAE,SHA256=150B1EB6CECF5C3A02D7F3C808689E266F284E63AC44082ACC4910DDC3C51280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:33.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B936D61B32FAD5AC4628FBDE203F0326,SHA256=DC318D68073B12F2C5BE8E0F557EC18C43147AB51ACEEEA7F67BC8F6D57D5F6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081010Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:30.648{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49999-false10.0.1.12-8000- 23542300x800000000000000081009Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.924{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44661CD66AD1057B72E6C77536421AEF,SHA256=8ACD57BEFCDDF8BBB2888FBC574921ACB6EF31992A3906EDB7271FC445DAAAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081008Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1D1-615A-3601-00000000FD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081007Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081006Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081005Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081004Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081003Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081002Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081001Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081000Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080999Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080998Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B1D1-615A-3601-00000000FD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080997Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1D1-615A-3601-00000000FD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080996Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.144{2FDD8D40-B1D1-615A-3601-00000000FD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:34.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE58EC21962EAB3E9E95EE1C2C8ABC35,SHA256=DA62B0926DE1A2D7DD4F0182C9306F277AF86B67FC5D965690BDADEE2BAE2F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081026Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.940{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495F747582C966E37B1DAEFF9DC7F4BE,SHA256=AFD0FC1DEEA0A1F95CE0A9D5FF779E1BDCD0FFA6B6F573CADE1F06E1047BDBEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081025Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.940{2FDD8D40-B1D2-615A-3701-00000000FD01}8003112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081024Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1D2-615A-3701-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081023Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081022Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081021Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081020Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081019Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081018Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081017Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081016Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081015Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081014Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B1D2-615A-3701-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081013Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1D2-615A-3701-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081012Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.738{2FDD8D40-B1D2-615A-3701-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081011Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.377{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223210C797BC5A5D9CF1BD1BECFC035C,SHA256=2E83486C3BE5792B5171809289A31B701BAC578DE3F9C0B026CB9D3B2C473EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:35.862{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF197B5D34446242DA79A6C0F2B990B3,SHA256=AC55BEED51534904C29DBDCED8E30EC8B8B5185FEFC78E55F0C0F74AF83B6862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081041Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.983{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B71013772C3E5297E2DAD389322ACB1,SHA256=30829F7D05AEA712B33247BFD53BFF499B5C812789FE549EFE84A05F38328992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081040Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.952{2FDD8D40-B1D3-615A-3801-00000000FD01}12681208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081039Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1D3-615A-3801-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081038Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081037Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081036Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081035Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081034Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081033Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081032Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081031Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081030Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081029Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B1D3-615A-3801-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081028Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1D3-615A-3801-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081027Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-B1D3-615A-3801-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:36.877{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF77C5004B9E4518ED9EB3882196FB3,SHA256=81ACAD61DBE450588F2C6A7B103C12411E0523ACC386685C0FCF82601CE1FA35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081056Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.718{2FDD8D40-B1D4-615A-3901-00000000FD01}3162644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081055Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1D4-615A-3901-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081054Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081053Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081052Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081051Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081050Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081049Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081048Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081047Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081046Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081045Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B1D4-615A-3901-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081044Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1D4-615A-3901-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081043Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.578{2FDD8D40-B1D4-615A-3901-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081042Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.999{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B69D8785AB86B61FF10AD665C856C57,SHA256=8E949660DAF8699884CC4B049AE6DEADD43B81E22428A11DAE3E35B990061D01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:36.284{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49495-false10.0.1.12-8000- 23542300x8000000000000000103135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:37.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5FC1105AB39256E707BD6523397A8D,SHA256=5194696130AB3C1AC382C57F4DC65C94BFB8540AB6CDC2A8283D27E92B6FEDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081058Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:37.733{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65C953976222D0A35C81C26EC5164FA0,SHA256=4FF6A9D583D962FD354E9543829404685CFF6AF68A71B5CACE3039B59DEB0182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081057Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:37.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30760A43E5831D95FDD43CC8C713FCB2,SHA256=40D29E00C155CCA0F3A00137E68B1057E282787FDEE76D32917A4C9CD8B3C65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:38.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7AA2302606D42450D40167497894E1,SHA256=B77283DD8B06F67B2913C51137F39BD950B48F7E071A099E2372A0072A1139A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081059Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:38.187{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D851D7F95750C83672349277FE9A4A08,SHA256=167BD5E34557CEA0435F8FF19F514822D154772E25775FA5025055553BC3FFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:39.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2163C291A206AD72DE8B040A7F5E7B7E,SHA256=F0E9EBE337D5A1203EEB0ABA44C57E5BEACFF599E660948FCA87E176ABBBA563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081061Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:39.187{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CE46F2B8C92681FCAEAAB515DF7ABE,SHA256=DBD5998E3B0F161B8BB08410CCA8B1EDA3B353829272FB23391E8D892AC8093B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081060Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.567{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50000-false10.0.1.12-8000- 23542300x8000000000000000103139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:40.924{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B3A1042F01ADC0F0977129805E3C99,SHA256=061BADD9A182D43756E1395D62A1538418AAC602B591F1B6E7BB744E5C397F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081062Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:40.218{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AACF2B676959D6D8467B84DA9537BB,SHA256=502049B2545DEF229B068D55FF57AF4D3F7390BC20DAC1495DA575F893CC4D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:41.940{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC5EE9FBABB010E3E0428E6F76B64BE,SHA256=A4437521A515A03C8AB8238E54FD18B8AE6E9B01A5BC2949A57E2D64EB3417FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081063Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:41.249{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860B0DCC63A60872292B016412084442,SHA256=2A79FF0DA753BDF76E548B4E89D3F3A31374444A8B954C5107A26D2A325C114B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:42.956{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18112EB5587AEF5D8531A313414B90C4,SHA256=9AC4A1FDE00F2EEB95CED7AEB1B936E2AE49042E91ED3A4AED2B93BBA44ED525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081064Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:42.249{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7082915B0E5297C44B6DA77DFA76DE24,SHA256=2D805E36126F60F9BE7C5641BC0FEE998F549D9647589766E6BCA27F237FFE4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:41.378{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49496-false10.0.1.12-8000- 10341000x8000000000000000103141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:42.284{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:43.956{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDED61C728CA8E75541EFB01F9105C2,SHA256=6CF53CB28B0627530D2B05FDD950C1408F196AB487FBCA02B29289B0A09C3A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081065Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:43.327{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970C4691AE73DC7E5A8BEE7D5338C271,SHA256=8948389114B90339B7D4FEA20856203269E083C621355427DEE2510DC5215669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:44.971{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA5EEC074654C649A7D6BAC60B58443,SHA256=6BFF04CCF8723574AE1BCC44A4FBE013649600AAEAEA2F3AC2243362F3BC0CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081067Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:44.327{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9DBED197CA1B634A51E1824263F34E,SHA256=EA61D88F2ADBE562D7684BA6E86F3AECC8140B36D050D6DAF93D838768432399,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081066Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:41.723{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50001-false10.0.1.12-8000- 23542300x800000000000000081068Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:45.452{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D17B914903B80D51851648EDABB69E2,SHA256=310CFDC063A75BC6E65966D42C86295EECA4A8390C37F972F7C31F09A7730A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081069Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:46.468{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3296D067139BAFAC63806643E0CD8C4,SHA256=0E300962D13C5475C79C200FEF3A2439B4C948B2B63E9CDB9D2F024432576113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:46.206{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4DAA1EA8D9E5237DF8E42B0187A2EF,SHA256=773019FD20CD28A37BCAE8D4BA1FD0E715AEB7EEB19BE5375CB2115749934C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081070Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:47.468{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D13FE03629C4480B4E788D67557612,SHA256=9EAB8F46DA4F8F48982B63215C0A4693BC5B437A38F8F389A7E8D731BBFF8F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:47.221{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFD0646AA49A5FFDE9FE3E9BF574188,SHA256=E9CE04D425B9668304EE8C157A02B5BF04D5F7BC6738872622BA8D12797F61F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081071Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:48.468{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3496AF4F28F5D5E9D8A3C335515B61A3,SHA256=E58E6F874766E30A54C6F9AAF75C3F4F3FF47BA6BAB88904049D485D6B2F7B0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:47.459{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15-62453- 354300x8000000000000000103150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:47.457{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15-51699- 354300x8000000000000000103149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:47.331{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49497-false10.0.1.12-8000- 23542300x8000000000000000103148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:48.221{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8AEADA2E5620F1E0931E458AC25EC5,SHA256=E533360BBF347F1B2652ED51233BD62327700FCC2C648061B4FA97B6741ECB29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081072Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:49.499{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3B0E0E5BE60706395A093DC5395255,SHA256=829EAA2DBFC74F40C78E1EA8E2152A2FB600D8B86C3F3165AE32C434D1374442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:49.221{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1169D4C18F5E245588A8D6F5241A727C,SHA256=B17A93ADEEB7CA90268295C7806D91D84CD34B6CE7B41475BC2D4C89409A70A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081074Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:50.499{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E14AF38B5E8408C95784945340764F,SHA256=A0CED04E379385ABED44AA3F27DC033D74079AB97617BF0FFFF336FD8E334254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:50.237{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30489307EDBB8D11BB22409717B8461,SHA256=035F0355036218A654CB09314E4A91AA42686CAD706EB7BF08F16B2B195D1517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081073Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:47.582{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50002-false10.0.1.12-8000- 23542300x800000000000000081075Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:51.499{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220596FAA0BE9BE9B52737C02A134DFB,SHA256=A0DD9EFE1808528A7CBCB1ED9FE355E3D319E404F32CBD98EFDF523E831E22CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:51.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DD3EF036E8194827EC3A822A214518,SHA256=D9A1CA15488E2113A6F3804DC834BC99CE20F63E6F569D89D90875FB510B16C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081076Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:52.609{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C9246DCA1A0A9488097B9318853200,SHA256=2AAD347ABC6A092BC82C79AE9F2B9179679B5897110B0874BAF2D976ECD338C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:52.315{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035F836103E15D78B7DD43F95B9EE065,SHA256=43BB06C614012B155A48E2C414A517DDA9CE8EEA8D5E50E9A10906CB2FCD2774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081078Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:53.617{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C120DB44AD33B8FE2582B76502D8FBC9,SHA256=71B1C864B46ABA42DBB08A29FF701D972EEA3FC0F80975E2D407DD12F9BCB957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:53.315{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C9609B8BBFC346AF36482A751A8A67,SHA256=63917E4F664A4F3DEAFAC25CFEA68B45546E5D900A3EB2780F6E8E24A9C51799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081077Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:53.550{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-021MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081081Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:54.725{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E268FB9A7CE7990AADF4575213AF0B3D,SHA256=AA7EB89AC17EFE4CD409D40F2ED4CA0EA22D03969BB1A57E9B17E0948138192C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:54.315{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3271F68C91AF8FA1F51731F89695CD8,SHA256=8C468360312E30C08AB2D4A51DABF38451C0E73DBFB71D175CFC4AFAE1BEC8FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081080Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:52.647{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50003-false10.0.1.12-8000- 23542300x800000000000000081079Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:54.555{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081082Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:55.773{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBAAC0EA1E354E4438D6DB32639B4F0,SHA256=DEB1E1038655967983A277CB22DED80611D63419E110678C06457792DFF2FCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:55.362{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446AB7EBA03AE341CB963E8183C2A97A,SHA256=26E267FC66343D71927CAC00614C54EA343DB4EC5F91CE21CBF61822496479CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:53.284{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49498-false10.0.1.12-8000- 23542300x800000000000000081083Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:56.818{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0472CA2FE94A89F287C004397E2D60C0,SHA256=7297EBF5D6D9A09A89E6A1C725556C5A0089B4238B1186A831419229D65B9660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:56.790{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:56.399{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169A26FE93E192E82096BB0BECEE06A1,SHA256=C4E7CF6E47A71590039DC1E66EDE62505D7DE5E147640A2B1A96717A1701F1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081084Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:57.818{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911D0C978E58A1B00699EC4A581A2B39,SHA256=04A9524A00EC1D37B8BA44B041BF7DCB263D321AA51404AE6E8C5D550CB8F0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:57.399{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696DEDE8A028265414455F50869F082B,SHA256=132B3CB8B98D0109ED3F85404FABEEA9829CAFA7264BAAF3C885E3E2FEF2CF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081085Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:58.943{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D736FD83D43011370855CF1499BDFB,SHA256=796132116DADB14755D18DAD3150FAE018CF3FA3452DD7D1383D6652F46DB9DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.915{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EA-615A-BC01-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1EA-615A-BC01-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EA-615A-BC01-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-B1EA-615A-BC01-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.524{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAC8532AF8F4FC68E3695D234B68AC7,SHA256=0596598C1F031FBEA0E2F51554599BFF6F06AF2AD99B0C9DC1A4068536DC51D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:57.009{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49499-false10.0.1.12-8089- 23542300x800000000000000081099Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.958{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2ADB0FE8C888BD362DDC77C52E17AD9,SHA256=6E25E4AF5F48503786A926234B75B4780584CC0DBE09FC1EF7B87798BB8307B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EB-615A-BD01-00000000FC01}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1EB-615A-BD01-00000000FC01}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EB-615A-BD01-00000000FC01}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.603{58E9C193-B1EB-615A-BD01-00000000FC01}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.555{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9286DADE15D9A7333FE1207F79F24589,SHA256=CED8D2F832340C02511755A434C850FE04547001DA1F1E61E861EC14968778C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081098Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1EB-615A-3A01-00000000FD01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081097Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081096Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081095Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081094Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081093Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081092Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081091Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081090Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081089Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081088Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B1EB-615A-3A01-00000000FD01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081087Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1EB-615A-3A01-00000000FD01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081086Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.100{2FDD8D40-B1EB-615A-3A01-00000000FD01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.243{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49500-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.243{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49500-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000103175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.055{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8419B557FBF89F22B66BD42C171CE6,SHA256=072A48182BC32D6689B3395A8280EC28543D680C4329628AED8FB60564AC2621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.055{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA9B4C400EEC225B703D203E15F08218,SHA256=6C84ECCE262CBCCCE129DD2DECE66F0C5F2F7E7441562292EF9336B5C4A79BC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081103Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:58.604{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50004-false10.0.1.12-8000- 23542300x800000000000000081102Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:00.974{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3F478EC2598C0CB09E3ABB671E1B74,SHA256=11A48782F974AF1E0C692EAD60FD0E0765F26A158F2A544C16121683241B505E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.977{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.977{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.977{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.961{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8419B557FBF89F22B66BD42C171CE6,SHA256=072A48182BC32D6689B3395A8280EC28543D680C4329628AED8FB60564AC2621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.586{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFAF01E0ABACF3E9632424286AF788F4,SHA256=000F2AC873D456C5EA4DFF6483103FB2F4B991950852D2369032C6BEAF4163C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081101Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:00.333{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18500C57143A85FFCA3C38740E68EDC4,SHA256=B990F168DAE0C78FCF2E8138BD021323899C815A5D61BF62D7328A88FB9B38AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081100Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:00.333{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C27D592AEE2CD3C8C31A749BD87CA5F0,SHA256=9A4D3392931DECE4F2A675EED4E6F9A10F5BA733400BC8F54C141DAC0D264C5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EC-615A-BE01-00000000FC01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B1EC-615A-BE01-00000000FC01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EC-615A-BE01-00000000FC01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.494{58E9C193-B1EC-615A-BE01-00000000FC01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.321{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000103188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.337{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49501-false10.0.1.12-8000- 10341000x8000000000000000103187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.993{58E9C193-B1EB-615A-BD01-00000000FC01}60526248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081104Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:01.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB28C4C0C98DF36F7732B4DE3B1DCDC6,SHA256=F5836EA52E58C4F6458056AE0E3C19BCB454AA0FD57C2EE3F383441D479ED88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:01.633{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83EC91551B1CBC8EAA8B9DDA6AEBD9E,SHA256=EDED7EE6D4456107D9A786269711311BF6179037C73AA151BD4ED81AEA7F5431,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.450{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49502-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000103203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.450{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49502-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 23542300x800000000000000081105Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:02.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C206413DEDACD21C9275DA81BBA2C7C8,SHA256=262F69C941AFFEDFF892F11F158DC41546713B59F52BC32831118077F4F61194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.790{58E9C193-B1EE-615A-BF01-00000000FC01}66805040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.649{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA602316C970D9B088484F4968B5729,SHA256=817C219F9471B9A14F8EBEBD663A3D844C67D0590DD658012B8B3B1F4F65B4BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EE-615A-BF01-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B1EE-615A-BF01-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EE-615A-BF01-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.353{58E9C193-B1EE-615A-BF01-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081106Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:03.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8059D893501848A9874D278F5FE7FDC,SHA256=2E2DD2D730FEF3CC7CFF83A5C62971E4F41ACA9E305F3F8CEA4438EF37969851,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EF-615A-C101-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B1EF-615A-C101-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EF-615A-C101-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.901{58E9C193-B1EF-615A-C101-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.680{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FCA621D07DB65B85560B5BAC6560E4,SHA256=40F3932F8F53B9A1BA4B361482730FACAFC9152BFB28291FF81D2276AF5C7E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.446{58E9C193-B1EF-615A-C001-00000000FC01}380776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.399{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E6B36881E5BFD9F9A8D63025F275DC6,SHA256=FF69C1247DF945A348D089A9711868B7DF29C62FE57B0D55713D6C5C9B8965A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EF-615A-C001-00000000FC01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B1EF-615A-C001-00000000FC01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EF-615A-C001-00000000FC01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.259{58E9C193-B1EF-615A-C001-00000000FC01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.559{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49504-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000103218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.559{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49504-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000103217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.462{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local49503-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000103216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.462{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49503-false10.0.1.14win-dc-639.attackrange.local389ldap 23542300x800000000000000081107Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:04.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76710D413C2D0E1AB0865FA0D5A6E56,SHA256=802117A007D3CB3007E617628165EBA03DA034D79402E1E6C8327F924A4D357F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:04.899{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80EA222511ED4B374E6726F539A40560,SHA256=FA720F8BC9777DE2A46765AC7C7BC63A32A8B3FB16C0F6B5AF630A4CC42939B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:04.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0E757BD0616D81F1057685B6192EFD,SHA256=00C7FC77909988FA699AF1E86CC148A668CA5F5BE9314BF95F5FAE1E639055CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:04.165{58E9C193-B1EF-615A-C101-00000000FC01}68126372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081108Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:05.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137D98E35F0465823BC232D51260D9E7,SHA256=0E3F15A98F58DBDA41F43AED90B091F4342804AD50E78B6ADD52B42661325556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBA04920BA63AB79382BC06FB41BAA8,SHA256=D22BDF7E8E3C51227138129A22D71316200F5872230BDD6D969C8CA99AB6E40E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1F1-615A-C201-00000000FC01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1F1-615A-C201-00000000FC01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1F1-615A-C201-00000000FC01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.431{58E9C193-B1F1-615A-C201-00000000FC01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.400{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49505-false10.0.1.12-8000- 23542300x8000000000000000103255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:06.868{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5B9A4F3971B7541F5369EFBC8A8941BE,SHA256=44ED0A3325D72256CF877F22A054ED72CA7150E12C3C85D4323298ABFB70BD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:06.868{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3EBB728275D212E0C02712C808E92B27,SHA256=3525CAE130E53EB0D2AD8473794A5CED0287D14FA7D099C91E778654CA341311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:06.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45292826CA59D056D1A1862C49DD097,SHA256=DE88E77297CEBC7DEBA98785B242B542E21E5E0CADFED856E31631149C501091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081110Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:06.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC494130A24C450E903E8CC76E322E15,SHA256=ED43B467F4E6146517ED4161EC5373AE6946681BF5C80B2E9C5ACCB155722E05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081109Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:03.714{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50005-false10.0.1.12-8000- 23542300x8000000000000000103252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:06.430{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C92F2B20E8C3A5F1463FB0205A16B6,SHA256=AC65AB3B69FA711E9B387A13318608DB5107DDB8283E06DEBE8473E525914143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:07.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750BCC77BDFBC63BA0B77BA70F5D9619,SHA256=CDB9AFD4A16FD4D66921090330D8E05C04D86A332BA7CC774A65C9C6CD1323ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081111Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:07.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343D71FA24E59F2CB58898DD065F2253,SHA256=C7EEC622546D35555092F3D9A8D6D662D130CF84545974DF3783299A617D4A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081112Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:08.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23E207FB2B413E903D236C98DA9FF64,SHA256=69D97EAC7DD650E5B1DCEEE96C9AEFBD822726FA37C6F90810BE74596C570B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:08.743{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC654F4EBBE375304CEDE5DE9A96B46,SHA256=06C9CEDB010F1700C096ABDB8FB79564D1BB57A970C7AA440E36E113ADF190A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081113Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:09.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1129D3FC415CD6007196F23E41A19E4,SHA256=FDAD18863A47F4821673E57C6484EA36E7A31A1342D8F62D4B77ABD438CC6CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:09.758{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9912210EDF28B84BB4F790CBF800F602,SHA256=C429A616E6043B1C0C2C2696A3B7C533C8F2C4A24099CFADE00928FC411BD8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081114Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:10.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03729CE1DFCC242A06B3F86B5BBD79DB,SHA256=8C5E41C2AF90D774165AD643C5B1B84F9FE6A3CC4F9A8397828D89D8EE6195FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:10.758{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4AF53C941103F5825AA1C7AE3EDD7F,SHA256=BFFF15B09F99C9FBF523559CCC6BF5717BA208E5348D42ECE38716625AB71A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:09.384{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49506-false10.0.1.12-8000- 23542300x8000000000000000103261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:11.790{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08B3BCF67CBD7E8306AD7F6D0B0020C,SHA256=11B8E51DFFD401D43C0F1704F40250EB743574DEE7582EF6CA3259F0DDFD31C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:12.805{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5043C075D82647BC06D8D4BDCB6833,SHA256=702316DC6DF97F92B9945D0D3266F7201E983D9CD37874056603E5EF008B7683,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081116Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:09.558{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50006-false10.0.1.12-8000- 23542300x800000000000000081115Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:12.099{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F79459A108FE41B4935A0B11CCBD09,SHA256=8C8B5D15247A4F5B1ACFFA0FAAC8C28EFCA27065183F312C10A1428B84666921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:12.024{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1042BB1CB947E0F6CE5C8DEFBD2483,SHA256=DD70ED7F19AAAF25F208AA080FCC7216C09A22B6F854B679B2427D4E1E4FFD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:12.024{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EE94733984D8C6F27C82590DF7F122F,SHA256=D8CA53E3D1367AFFF19CADB9259305262E8FA84549AD25BEBD36F8EDA10843CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:13.805{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84EFCB3DD3847B6A6A49DA517926349,SHA256=8471EE3F6582157B29CBAF6B9C360C300C71BCE6384AF8E6B4FC84B63897778A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081117Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:13.209{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B525589005E856BE8DBCE6EC94D892D,SHA256=6E9CE1DFE1E1BA36B0FBE46CE792C0694627D23B61ADC4CABE75FAFEA1B14012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:14.836{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E17F0EA737AC2E8D8A25E105B70425,SHA256=606F604C51D4D8596AFAD5B4F3166285599936B665FFF16454BF3F5C2260A2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081118Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:14.255{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67F0BD1F686926E4B5D8F48DF0FA661,SHA256=D5F535CDA95CD4995C5F9424F6A47038360212591977E01481689E79397D9013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:15.851{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0ED114ED09C9AF2CC496A39A06BA95,SHA256=2D55A38AC490E6EFF9B0A9854EB8EF2BFA771B91C25B70B21D3B0CB181049E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081119Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:15.318{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D864AEA76AC5BBE28AADA1EC37F4972,SHA256=ECDE394A0DF936E32A7AE9B9F4ACF2A1ABC7BB2A0E5A6E18CD2284A1E3C51A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:16.851{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EEAAC8FC463B2127BCEF52F4A67746,SHA256=F4D2F47FDC3993923089F575FE72684139769501A191344CD0FCB22F3C63AC66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081121Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:14.620{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50007-false10.0.1.12-8000- 23542300x800000000000000081120Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:16.364{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5407657A310725A6865F8C524F9C4F9,SHA256=A23FDCFBBC87B42EA89BB46617D565B52415D5525DDDB683CB78820AA261E895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:17.867{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAE54673207D41E4F6457A7AB425720,SHA256=0AF78AEB9CE8B5B5FA489A261F1318B2AD11B0EC51204FF66F9A60E6B66B129E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081122Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:17.395{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2A2B215B466D54316C2AFC2F4BB675,SHA256=D044FF5F6FF9AC0144165518D1C583450680CCE96951666AB81C1D1FD45B5155,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:15.415{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49507-false10.0.1.12-8000- 23542300x8000000000000000103271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:18.869{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E29B81DE318F26E649BED35DFF0875,SHA256=ADDFF877A0AD1D48811AB7F951D8723F6C00A30FF6432CBA6660F9147091FBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081124Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:18.973{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CCC137E37E9503EF621097B1B6481BBE,SHA256=8B0BC0F5FA6D7C9B637E69AD8D7C598FC30BC1006CEC7C3CC625497B49FFBD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081123Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:18.411{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A80DC9A42D584F4429E02AB87123FE,SHA256=7F3673026A3AC1C406375E244682294DCAD75E791D5D4ED2BB3D6A02BE5665B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:19.870{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046A781494380C8AC0748653770DC76D,SHA256=C405A2D2C119C44F2A97AF1862E116515718EC5F14CAED55DF9C563270CBF69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081125Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:19.473{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5450F9E894F7A66F6570E12A16EEE73,SHA256=A2119361EBBC3CC17FA7802FE1A0446D48451B93055C83E0C70E2B8CEBBA486F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:19.200{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-021MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:20.872{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842EB633E1ABA5B8F5B7E6D7D4122DB6,SHA256=4A09C02AF9015756083036542B5FF60A94A033D20772700A8B6E315EF294BA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081126Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:20.489{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27797621B521597732593CEAE64490F4,SHA256=F92B345422B1BD1BF4608422919B62BC6A40AD73FD93BB64C28070A8DCE78806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:20.199{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:21.888{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D302D6B970458619D60D0A0602B959,SHA256=435234E915730E87A1667475DD628F409DA7787FEDD7A1984037019107FA3158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081127Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:21.489{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69DF2713FC95E2BE39177FE16CADA57,SHA256=1A2AAA17E129B10B4471E3A5DDB00CA67557445E16EE3D53B616D8A08C46CD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:22.888{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEB1C37D92FAAD9D08A933E1381C250,SHA256=777007F5C066C898A1DA4229E31124BC57852960177332ADE46553ADF09E07EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081129Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:22.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F09DF444C4329D561F87561B1429D25,SHA256=E11019C3A973C45E652145F23CB1CBA38F1CBD01BB90BC339942C6F4AD9F755D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:22.716{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:22.716{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000103277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:21.342{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49508-false10.0.1.12-8000- 354300x800000000000000081128Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:19.666{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50008-false10.0.1.12-8000- 23542300x8000000000000000103281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:23.903{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4826EE446FD034B50432EAA7C04E1881,SHA256=076527478C33D49DF3D1FD02EC4C597CA1EEF60B713F662D9C87022E19A60443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081130Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:23.770{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19B1BBAE3B788BB25CA941890D6B61B,SHA256=307234CAFE781E9303CE6A000D75E07B48EF378BF459FCB5DA625A8DAF323FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:24.903{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8142404FF7C972D9CAD94791F8DDF1E0,SHA256=F92BD9A138B844FCB1844C47DE98370FB4AB6A63BF49A96A632BCD4D39144B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081131Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:24.771{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DD6905D819A3A39872493B695E8EC6,SHA256=F9F3017D84F4CE7A9DA6BBCDBBCDAED80C5EFB6E58C0720ECA32A24E57F3F716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:25.919{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A11AA156EB4DE9EB2DC10416F12F42D,SHA256=53BAF69B4DFC84AD7EF544D18EF3801912ACCB1D3449B3FBAC1CCA0EF06FE73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081132Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:25.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A04328AEDFE0717F0F2272040C0C74E,SHA256=574E1D75E0553F0056E293AE02C8C0AB456B5B525DAB569E5F0C562B1529BCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:26.934{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4763AFE5BB1A196AC291CB606A332645,SHA256=9C82B48166480BBFA8828FCB55A690934CA8F31D4F6720FA94AB585567833039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081134Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:26.864{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19302AEF532319B4B60AA1D35E3F08C8,SHA256=95174A670AD6F819678A2314E0669CFF8492D535C43865CCAC41C1753BEA334C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000103288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000103287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000103286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7b8f4-0x5acc76e2) 13241300x8000000000000000103285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000103284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 354300x800000000000000081133Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:24.741{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50009-false10.0.1.12-8000- 23542300x8000000000000000103291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:27.950{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100E15E242467E373C359298A74D196A,SHA256=F21E330DDD68886247B51E22E81247FB29FDD28FC2DF96FBBE50EF00D979D7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081135Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:27.880{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCF82F0DFCBC295DC46B667132BD254,SHA256=D55D65106599482B568040B5C7A6331C99473C28C748417C7D63DB949BA40223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:28.966{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527B468DBCD6A619064FA810BA26A264,SHA256=39761573BFF9769EA72DA6E52731979C44DADB750675ABC1CD03A7357A90AD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081136Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:28.880{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0100DAD140A237D141540161A281EF99,SHA256=97671F7547D65713139F49B68A17DB0DBE4B8373810105E80E9A93FF5084DABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:29.981{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397563404E3C64D72E050C67078BED92,SHA256=A25CF8E4B26FCBE374AF9E94FE4EB87E1C3D626813EF5F84DAE77EC94E181725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081138Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:29.895{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9125757854F3E6C6D42CAC0A9B8B18,SHA256=B68BDC7169BA665306B3BB7B1214085D8EDCD183CA1C104B643677EB248BE6B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:27.357{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49509-false10.0.1.12-8000- 23542300x800000000000000081137Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:29.614{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081139Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:30.927{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59B88DD6E8D3CC88B88A7F3C589AB26,SHA256=984F5A381765FCC98D30A55961B16EA92DB3A41DD98A20C71230BCB1E4F4FEFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081154Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:29.151{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50010-false10.0.1.12-8089- 23542300x800000000000000081153Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.927{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A50332E637436E10E503CDAD2DC8751,SHA256=BBFEA9E8102CCAC372AE9174C9A47AE3DE53E6BA294449A5464DABFD069A6A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:31.028{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14121481C8969D8696AB611A2BA6C7EE,SHA256=BBBC95152B529089EA821A8BBB6513222EA4D39BCE4D63963BFE1EB5F1A364DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081152Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20B-615A-3B01-00000000FD01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081151Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081150Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081149Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081148Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081147Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081146Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081145Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081144Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081143Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081142Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B20B-615A-3B01-00000000FD01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081141Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20B-615A-3B01-00000000FD01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081140Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.490{2FDD8D40-B20B-615A-3B01-00000000FD01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:32.044{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F24A37F21A47BEF1E1FF8A6AA0DF13,SHA256=DBB6241E0AC72157B19088A6CBF7CFAE69F508536377D8C332DB5BCC48D6D32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081170Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.505{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502C60261F8DEC03A03A184966B2F301,SHA256=ADDA9C7E8EB96B11CC875872E067EF1868684EDD457142A0F753210D1DE95556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081169Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.505{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18500C57143A85FFCA3C38740E68EDC4,SHA256=B990F168DAE0C78FCF2E8138BD021323899C815A5D61BF62D7328A88FB9B38AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081168Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.302{2FDD8D40-B20C-615A-3C01-00000000FD01}1956972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081167Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20C-615A-3C01-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081166Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081165Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081164Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081163Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081162Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081161Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081160Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081159Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081158Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081157Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B20C-615A-3C01-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081156Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20C-615A-3C01-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081155Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.162{2FDD8D40-B20C-615A-3C01-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:32.028{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=55B5040A4AE7B57E872DD98D6890C0DA,SHA256=6D365F6223169461383394BB2D444521B726D68AFE764CE2315E412D5DDD2288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:33.059{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABB11C3398359A9AC7041D643B85936,SHA256=ADEB914E547D0BD25CA7472E2F441987173A52224C611DA5E361106726C8B0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081184Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20D-615A-3D01-00000000FD01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081183Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081182Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081181Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081180Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081179Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081178Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081177Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081176Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081175Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081174Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B20D-615A-3D01-00000000FD01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081173Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20D-615A-3D01-00000000FD01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081172Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-B20D-615A-3D01-00000000FD01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081171Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.005{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8166426C55C042866FD9B9B4DDF5279E,SHA256=9DC03215F66B52F501B2D953FFE36274AAEC553032A288DA376C595D584D13F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:33.373{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49510-false10.0.1.12-8000- 23542300x8000000000000000103299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:34.169{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A663898B47F7E6BBFE39042F4576D7CC,SHA256=C900830F42D87953038E9B288A9064CDEA9E6DDE7799D8806BDA7F2791838484,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081201Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.896{2FDD8D40-B20E-615A-3E01-00000000FD01}15362360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081200Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20E-615A-3E01-00000000FD01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081199Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081198Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081197Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081196Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081195Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081194Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081193Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081192Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081191Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081190Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B20E-615A-3E01-00000000FD01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081189Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20E-615A-3E01-00000000FD01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081188Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.756{2FDD8D40-B20E-615A-3E01-00000000FD01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081187Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502C60261F8DEC03A03A184966B2F301,SHA256=ADDA9C7E8EB96B11CC875872E067EF1868684EDD457142A0F753210D1DE95556,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081186Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:30.698{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50011-false10.0.1.12-8000- 23542300x800000000000000081185Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.005{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95560CDEBA5932E75674F95B7DFE49B,SHA256=16AB0BBCE13215648EFC26F68D8E327813B8EAC3C442A29BDF8C672686E1A1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:35.184{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DDFBAEC3D50D8C00A888698F5AA0CD,SHA256=37F7D8C90632D5FFD2B7FF90955278C3FBF7BB1933B341F9A11CE4C0AD81B50A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081217Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.943{2FDD8D40-B20F-615A-3F01-00000000FD01}2924024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081216Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20F-615A-3F01-00000000FD01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081215Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081214Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081213Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081212Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081211Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081210Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081209Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081208Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081207Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081206Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B20F-615A-3F01-00000000FD01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081205Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20F-615A-3F01-00000000FD01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081204Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.787{2FDD8D40-B20F-615A-3F01-00000000FD01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081203Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.771{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06C5E007CC25D7E8CDBE8D19F507AB2C,SHA256=160F1EF5530081FC6CD1C87420600FE19CDFF3F646F75B0E52A8E43B3421D694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081202Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80801472BBF93AF03A1E85EE1298CCE,SHA256=C2766AFAEC2A2945B39F5633066B3C2828B9060E3B533944F9BF9DE560C8A0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:36.194{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B06A2F9E0ECBD651E51C95B143F97FC,SHA256=36A1D177537BDCCA9F83C24066F74E90500B03F301D1C09C588641D2C1CE3715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081233Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.880{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61F5D2FC5066EC6ED6C978A247DCD3DD,SHA256=F97BC55D2F1284351BA70DAF20CCAC92F095BD7F3130205E4885EB1D67DEDF6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081232Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.755{2FDD8D40-B210-615A-4001-00000000FD01}6361160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081231Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B210-615A-4001-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081230Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081229Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081228Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081227Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081226Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081225Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081224Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081223Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081222Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081221Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B210-615A-4001-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081220Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B210-615A-4001-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081219Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.584{2FDD8D40-B210-615A-4001-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081218Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22310C323E32294803E4B5D1F22ABC1,SHA256=EC303E1FB98ACB7C30A8DFD7695D0DAE26E1AAA532E925A290D60CE6BC85066D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:37.241{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FE5181CA0362E5627DE0D1A9083647,SHA256=C188697E7CF6F0EE7F246300E423B6F81A89ECE4C8C2A3761CBFAFD367C4178C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081234Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:37.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64084E28DB9F59D716656F80D5B2466,SHA256=D3820010D4162773D63E70CF033A0FFF34A0588C4D59D896B09FFDE15F1BCADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:38.272{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEBBD5C4C14DB9270F42948F5867BA2,SHA256=F5356CB315EE4C1B3C491E5413CB53CABBCEC1403CF8CE537F07016660D25B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081235Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:38.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300F681B585DDB6A0B37181CA47D0B4D,SHA256=EED5AC2B4D0A37C83B8A515FAE24E3CA3E6DA0F3EA74BB64E6AAFBB401E17103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:38.445{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49511-false10.0.1.12-8000- 23542300x8000000000000000103305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:39.288{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99E2596A93876AFF72508B9005DF2F7,SHA256=60EFD2B4241CA530F88EA1C08A8A6E30FBE419734DEE1785948112D98090401E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081237Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.604{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50012-false10.0.1.12-8000- 23542300x800000000000000081236Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:39.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2531FE9A302E1539BD9174B391E6BE57,SHA256=6F331B0782FBE5D4CAEB485FDF4758C995141AC317DE33BF49CB526508C60603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:40.288{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AC2983FA5868F0C3502C10E9145157,SHA256=78DE57FED4191CAD4DE676DB57EF2C4C3F566DBC2D667887D3A10139F8AA9BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081238Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:40.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D04350E5974AB425A3C56B3643634E,SHA256=2E099F488314C18E869A24A5801882654F0CEA73810973C9B5959A3743E53174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:41.303{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC0E80599228B4AF9D78BB7C58C703,SHA256=5EF00B0DAB72501848A16AE94B8567805E5232A9CC81420DE6D187FA5AE651CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081239Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:41.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0265689C0233FB5A32660CCDF1DADF,SHA256=9445E8942A9C21208217943DBCB160AE86A19EB787458CB70ECEA05FB8723B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:42.303{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EFB0DC8A3EC96A12BD0BF8B4A3B5E8,SHA256=396C526FA068F57D5489CAEA48031372E42C0E4F34EF3E42C77D34B8738361F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081240Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:42.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BD07F4C9470E8272505C98AFB5EFF9,SHA256=669006CD7C9E54DC7372CDAA1F7E957C01A1F12D685C7A400F9D0502775B434B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:43.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B569293EC3A452BB83DD570C6453AF13,SHA256=E668571DC87CE48FAEFB110EB21B9CD6EE479E0889B7E4820614F79E4BB082CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081242Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:41.776{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50013-false10.0.1.12-8000- 23542300x800000000000000081241Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:43.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65740B47CCF9CC968EA2FB9A0BE0797F,SHA256=18FBC1444325F1A85F251AE76D8EDCFD04E462F0379FEA93B01E47B86F3AB1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:44.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDBD3916FEEB037523CCA69434BDDED,SHA256=E95311B8EA311175931C3C6EE7B71276F73F0511B31ED267B784A2677CEBB9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081243Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:44.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353093AA4F1C50D91BA354DA56893415,SHA256=ED43FD9471F9FAD56290F9D31551966EFAEB04232F05FF5F9886DD2A6C81F48D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:44.353{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49512-false10.0.1.12-8000- 23542300x8000000000000000103312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:45.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D47160D81B4EB8218CACA2D1E49632,SHA256=365CF7A8AF8069DAD9E61458B9FDCCD252548B429218CAA090E174E39749D469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081244Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:45.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359218BCE6BB48B99129BBCCBD46A889,SHA256=CBE6EA706E49624D186ED7812A1D6141984B18FCB263F457D3FFB5B1A6ECB169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:46.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A569DF6E1C85AE2376084C27AF26D676,SHA256=F546EC88BA17E0058423206EC56158A66482C362499AA5701F3C7815EF78DAA0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081246Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:49:46.818{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0x66dfafae) 23542300x800000000000000081245Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:46.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1867B405DF2FB9C856399268381B3530,SHA256=858639309D5D821BDAD570A91ECE4594411D58A51D02996F27DFF1B5B73BCF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:47.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987D1B53658B1A6C44F20E7821C247A8,SHA256=15A55CC50500BE2BCC3F2AECDFF46FE7C0AAAA3D02A149960B1BBA1BA4636F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081247Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:47.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EF3F1A228349456C00836E5B9B155F,SHA256=60E87A4D78BBF63D8EA860EB11FA25292ACF44040779BA72634B1E8E778C3F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:48.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F138A5D25114F6DC79994767C2473A,SHA256=F2D9C7653E9386C2AEDE76F96F685825909BD720FCCF13C110458AFD9018C128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081248Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:48.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D9BB299A5816F130DE083D83AC23B5,SHA256=A1C5BE8C4E8E5FABF7CE50EC55CDFE2F6896D3E739ADDACC93BB33DE49A828CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:49.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A05430E168ADE11E1205C41BA86509,SHA256=AFBCA1E742F64EEACDE8A05E08ECB884DF39CB08C5D2796029B8FE6A88079EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081249Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:49.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10D2296851C7A458EB9A4D0B694C539,SHA256=815FF7F1C6C56BB804767507DED8E3489AE8CF179E70323A52A07CCF3E95ED01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:49.477{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49513-false10.0.1.12-8000- 23542300x8000000000000000103318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:50.335{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BB71A7EA6A431E5C4BF1A71B438211,SHA256=8BB69A4590CB8A5F87D6875F219DA4730747FF11E80372BA4A64AFD11CB83538,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081251Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:47.730{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50014-false10.0.1.12-8000- 23542300x800000000000000081250Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:50.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B605CD3C6764F6BFA6C79DFBE32A0F9E,SHA256=EEBBE89AB6E7D84208E1D58169089B057A4C97728A173CF9DB2B25B8319340D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:51.350{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359C4EE46D3BB9382DBA4C7051184348,SHA256=23D1AA70131753D357DA06C6B14F3A1A40EBE5A7EE56627D3C56328741A30291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081252Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:51.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088CF4C20A7377CE467009710113466E,SHA256=907BB0749C315681D2F108E3449C4B98B08AFED569F99298BF94C3707191C365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:52.366{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45262FB1F5BFC5262199D3A21F9A3DC4,SHA256=B5C49F21A617183BD5580EBA850436DCAECBECF169F008FABCDBF2F3D1ADCC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081253Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:52.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2C6F669F41E0ADE61CE41473C6573,SHA256=F3AE13E9F9C89FE93E27ED877D924B5832DA5ACA83E1B242791B4290F82DB59A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:53.382{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F12882F34435CF621891C50FBC7B69,SHA256=2511E5D723E6B7CF3E5E23841703ECCB955F34FAAFA6AFA7C2E09A25F26E3DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081254Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:53.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DE761D82145221D4E8B8B78269E944,SHA256=E2473BD4492FEFBEFC214F8B62E8D5E8E51D935D826012D56771CB0057D626BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:54.382{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C025A99B7E089103A313A1187480606,SHA256=C29C39F274887110CC0134D918315D6C0EF29FD59C6BF5B161866152C473EBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081255Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:54.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9E8BBFFD51D7F63AA8529378927C9,SHA256=D870E228E716778778AD7CEC0A244F458D83C6B17A287992B84BADDC1F95C454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:55.382{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17604ED95AB8628E3F5CCE78407149EE,SHA256=70BCB87634BBE43AAA80EB141ADC28F2211E416D6DBE775726C93508B157FE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081257Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:55.089{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-022MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081256Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:55.023{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE27312FCAE4ABEBB5B2B7FF91785A87,SHA256=807A3346EF7DF29478F241DE94ACE38D8DAFBA84648B7D119A7E12BB430AC62E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:55.368{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49514-false10.0.1.12-8000- 23542300x8000000000000000103326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:56.807{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:56.385{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3724D8163FD63C57FBDF0EF81CA5280E,SHA256=796A397B9A1EF14B1605C3C15FE3D875E3E972548A604939381A13D585AE5B3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081260Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:53.573{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50015-false10.0.1.12-8000- 23542300x800000000000000081259Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:56.088{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081258Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:56.024{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A09AAC60C93D34AD943C3C3E6AB7DC,SHA256=F045683A2EDB8889014DBA68C43767234FC5FF083D4060B6A32CBD2CBD5273F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:57.028{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49515-false10.0.1.12-8089- 23542300x8000000000000000103328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:57.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8749539B5684A9AE7E373699DD1B9F,SHA256=FBA20D11C7C58EE967A5CED59F620383B563D4420B774493A2D1545CB1D882C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081261Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:57.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE031328FCE97A751D6AB159F017A87,SHA256=F185C637E7788092F620A3D57CCD6DC569C22C14ACCB2787F4DD265C8AF5D936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B226-615A-C301-00000000FC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B226-615A-C301-00000000FC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B226-615A-C301-00000000FC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.652{58E9C193-B226-615A-C301-00000000FC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEE5123B259C9226DBEB118769C6800,SHA256=C8FE3A676CC857DE79FB9F0C49B81208EF288EBADA38CE6D416241D877D57F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081262Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:58.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07048FD64589D978802DBD3FD531A1A0,SHA256=A27D8AA902BA49D196D4E944A994A930F90455617EC2B3588DB23D20961E927F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.246{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49516-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.246{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49516-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000103350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.823{58E9C193-B227-615A-C401-00000000FC01}70965920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B227-615A-C401-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B227-615A-C401-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B227-615A-C401-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-B227-615A-C401-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.510{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B842E886097F9B74B83610105692F9,SHA256=C46D731AC9B57E41FD856137C88925225099C29AB2B4A0A156CE612A1446C5E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081276Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B227-615A-4101-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081275Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081274Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081273Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081272Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081271Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081270Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081269Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081268Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081267Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081266Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B227-615A-4101-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081265Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B227-615A-4101-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081264Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.120{2FDD8D40-B227-615A-4101-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081263Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C38E77C4EC4FD3827D6539E17438B07,SHA256=02527A248796AF66395E4336939F558ACBC73242CF78BC82F2F9F7644ED6B795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87619313F135AC84E0A5503AFA65F1A7,SHA256=242A3ED4F7851B592E7D38BCFE3C2D60B4BE34782B143EE77E651A6966F7F1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1042BB1CB947E0F6CE5C8DEFBD2483,SHA256=DD70ED7F19AAAF25F208AA080FCC7216C09A22B6F854B679B2427D4E1E4FFD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.714{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87619313F135AC84E0A5503AFA65F1A7,SHA256=242A3ED4F7851B592E7D38BCFE3C2D60B4BE34782B143EE77E651A6966F7F1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.511{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D586F885F6C527F0CC357CBCABE72E,SHA256=C0770F5DEA9691432C5A15A992E4E36AE02820F1075234922DE6FA56B43CCD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081279Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:00.228{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99938CB44E88747CF224886B336C5C34,SHA256=9B755D62DF532B645C721BDEB6B403CE7197EC087433F915151499F277A9B679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081278Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:00.228{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB746ED7CBC2B17690E2D0FB77EA864E,SHA256=BBA04F8BA2E4420E3407A85EFAB2ECC4E124307936E79D81C22F96DE987FC3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081277Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:00.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73980F37354E49ADE54C7EAEA08B9DA,SHA256=C63DBB59B50892A56A45C263645203C68F0959938E48444B5584BB07C3AC717B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B228-615A-C501-00000000FC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B228-615A-C501-00000000FC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B228-615A-C501-00000000FC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.496{58E9C193-B228-615A-C501-00000000FC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.387{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49517-false10.0.1.12-8000- 23542300x8000000000000000103363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:01.542{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14444F75A818BCDB4480583C5BC7FE98,SHA256=6E4C1C692EB502015A0C8BE1D9BCF7DCAF58976D6A1811F969B146C5B0D11B6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081281Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:58.624{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50016-false10.0.1.12-8000- 23542300x800000000000000081280Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:01.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0119C98F1FAA53FE3EEA3D5AE88189A,SHA256=4C3C358E394F642F3B3C8375A1744F8453BCDE820299CC2DC9CD0C274FFBDEEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.604{58E9C193-B22A-615A-C601-00000000FC01}4396576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.559{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E64E81B62D7F15DB9AEFBAA3FFDA2F,SHA256=BDE9993FC99A656EAF13A3771B28C1356AAA7EBEF29B61C0AAB558998633AFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081282Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:02.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21B887CC1AB2A1D1435EB0CB1F798E8,SHA256=2CD2AE434636602081BC4D7D6F89C04B771122668D0B0BA74ED397212EAA79F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B22A-615A-C601-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B22A-615A-C601-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B22A-615A-C601-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-B22A-615A-C601-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B22B-615A-C801-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B22B-615A-C801-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B22B-615A-C801-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.933{58E9C193-B22B-615A-C801-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.573{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04C7D607C5FF6E5AB2DA18EC68A2092,SHA256=846244735F96BAC6F09453F763D9450A16F599980117A1C3F5E6DFA2D46F3635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081283Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:03.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D1C9E83EAE52842BEDF0A494F32C2A,SHA256=6368784E9B26C31B20572F6122E4C35D649B4E1F58020CFEC9B9DC86BAE55CE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.479{58E9C193-B22B-615A-C701-00000000FC01}23642488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.385{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7233403FF7B01D6D49F0B7D8C58061AD,SHA256=8B47CD251ACD86CA969DCA38A936D6B6513548D3525335D3BA14A2473F57227F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B22B-615A-C701-00000000FC01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B22B-615A-C701-00000000FC01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B22B-615A-C701-00000000FC01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.261{58E9C193-B22B-615A-C701-00000000FC01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:04.589{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63940FF54A3057EFC091F81C59F80EC,SHA256=F79E1326B8C68ACC2A807A0F95F1F2441D8FD06E2E05D9ADCED21F3912F06950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081284Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:04.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7890D356A48085411B7090B627A684EA,SHA256=A06C418423AD971F0694535D719CADAA4C05BC2949A3CE2279926178E99FE98F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:04.276{58E9C193-B22B-615A-C801-00000000FC01}44126384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.854{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.589{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C933286A3C1EA4EBFAB7A0EBEC9AACC,SHA256=11406443AE3193E2A95CD072CC00BA8FCF0B7488791E14B24D98915B50867952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081285Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:05.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CF17A98061834211DA161B13150AE7,SHA256=870E8998F10A6AE33A12BCDAC6D4704894A3037FB36785E79B22DF04BF62AC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B22D-615A-C901-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B22D-615A-C901-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B22D-615A-C901-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-B22D-615A-C901-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.167{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=332C367C6A99E74E6C542ACF55B35077,SHA256=0060C0F83E8CA158392DBCB32FD0E49164EFCD36B701DB03094359E5A49EA39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:06.620{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56086A6535B296311DADAAC20FE0C4D,SHA256=C2D7B02D9EBFBE3493B4A64408DB3188E5DD79B7B2AD1C34866DD5EF1EF3416E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081286Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:06.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CB32E6AE25B6ED847DF60452AA6067,SHA256=E6A814F9C0E9471CDD4D92B491F0A09311C309DA5DF7240D81B1CD9E1E2A876B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:06.432{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16D156EBE0EC7D4C1CE22E5E9DD28A43,SHA256=6D30310F8DD2D0484D912BE65DCDC74FEB1796BF6F67764E372F44BA14FDD61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:07.651{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355D624C40E79068258317B6C6A3EBA3,SHA256=E55E8DD0024A2A1FA323A9F2695FAD6406A694C33CEF841911AE75437648C019,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081288Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:04.624{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50017-false10.0.1.12-8000- 23542300x800000000000000081287Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:07.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8583B218D1B2AF611B75E1619ECA2AA4,SHA256=2AB7F781486BBFEF654440FE9F5AE3D4C36CB265481A2330C26C3FDA2DB20215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:08.667{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0FCC1D614AED1DE76602E57B5D9947,SHA256=B703BFA1F49EB64B6FC9B163A4B509A0050E543030DB219C77C29240DD61333C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081289Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:08.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F467DAA6E423BC479BFD7C53008789,SHA256=D0413C5C62318933348B58E838F2298F5DBE4332C2156F792B2912FB0C492B01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:06.340{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49518-false10.0.1.12-8000- 23542300x8000000000000000103412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:09.667{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCC3A9D32F3D294B42A672E0A906EB5,SHA256=16A1A6483E3C36CA126103D6A9BDF7DB383613A7B7FBDC8126F867FC766DE7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081290Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:09.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7557E17C913950FA84DD2ADEDE532558,SHA256=3862EF8DC829CD28A3EA8BE7F8B434605E0C780DD4A67649F2ABE24AC0FBF6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:10.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D2F684BFFB9D7FD890AC88E2683760,SHA256=6050321BB71EB13C9F868212C7DCF8EE32DAABA6CF8693FCDA623BA355C84A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081291Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:10.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F952784BD7AD106D7DFA5016190A3C,SHA256=98DD207D08E4103A72ACDA04A044E346E4716DE6B590D7206D62874C836C9549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:11.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED1833A94424D9839EB07E7DDB74FF1,SHA256=F28AD4D3FF17DA934A16855486C6C0FDA7B6FCFF2FB11825E44997C4F21B2396,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081293Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:09.734{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50018-false10.0.1.12-8000- 23542300x800000000000000081292Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:11.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D15479F30E992CF4C0C46A9D70AD6DB,SHA256=AA1EFED14234913E719C4B5190A6BF2C951690C0B7A20986A1307F57C5F5C438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:12.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57DF4C92DEC55B858AABC035FEAA440,SHA256=B56068EBE9DF5FD362241C6E901500022D6BE4A78A1328AD7A1573CDED093331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081294Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:12.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DAC18083385587D112EF0F11180869,SHA256=33C0CB6565F7E05A7644C50E5CF081126DEB23555C4FCD6375D1C8EA97575E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:13.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323D6D2730A1F9A253F0F58AEB1C1E6B,SHA256=FB5FF7E9745E12BAB91B362170D6E232FCE770B355366B8267D37CED2531010E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081295Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:13.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FA1997AFADCBFFDF45FB5093D1FFB0,SHA256=FF5C5D478FC3AAA0EC9A811DB3B0CF8D6B864E6DA70C0554F4C17D8B26CB1551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:14.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389D221A44081352CE319CFA42059DB6,SHA256=1DF23E7253DD0EAFF74E9896CAF7D52E8D9294A86C78BB84DB4EC96C888E1EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081296Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:14.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973AF5270E6D7634C82EECB32C16AA6F,SHA256=AABABBF18E9680E5245116EBFAE118C060A9E1A636B5B5DBF44616EB1237BA05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:12.340{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49519-false10.0.1.12-8000- 23542300x8000000000000000103419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:15.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB99175211B633C45F2DEDA456B4739,SHA256=EBFC8AA6240812B97723E23E15007AE6642B7F2E49FC0465A562440FDF9FBB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081297Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:15.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5F6EB32B701E715FC16AA5EA2B7740,SHA256=F08BBA3214BB66FC2DE4B7E6D16BDFCA9DE27F49B8684F5957E78C729210DDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:16.712{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C8C5381F387355678D853D8A449B5A,SHA256=8392C840033A67A1578A6730B1332AFF96E37ECCFC298E5786CABCEF3A51F560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081298Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:16.055{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACFBD017C47BDA8679C0E9CE249F736,SHA256=75FACCD4E414FAF3D52D5615EB894D843B05E130AE31B30025B32D8999E9BA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:17.712{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD679FBA534BEC666467835F8ADD0C9D,SHA256=DDCF2BC223253137AA72CC76AE5DFC0CFFC7A43B6F9BFFA99C8BEC53677662FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081299Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:17.055{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5453BAB984C9336990482DFB9238EE5F,SHA256=4B5828C6B49CB0E613AF251BB8D4EDBDCE004E97DD09D5264F138A43521A27A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:18.728{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526A9B0FF7D0E1A4E2B825C763304F40,SHA256=AEF2F899B55BD2556B1C19A656E2CB3C348686DCE7DC5B6BC4CEA611DC41B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081302Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:18.977{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D404B35E2CE513C05695CFE244417242,SHA256=E1C6FDBEC79F5487838FF80C6196BFCA7E135F4A5E131D898435C7031EFB3D8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081301Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:15.638{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50019-false10.0.1.12-8000- 23542300x800000000000000081300Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:18.055{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C7762EED29C7225D69FB109CCCEA68,SHA256=EA49B68D2E6ABBBFF4231C33858633E0F7ECF98AF95AD28FE4FB91440AA0E87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:19.728{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9905AD61E32FEB02971D9C786B61CAAD,SHA256=087D9C5E09E458AC0C82A034783C0031B954820D019C37E4050978AD1665FEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081303Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:19.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F964FF5C86AEFB617C9D662C356C7B99,SHA256=4F58659329DAB5DADA441ADDB077BCAAFDFBC9CDF102B45CB2A1B10477A2D272,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:17.371{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49520-false10.0.1.12-8000- 23542300x8000000000000000103426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:20.729{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019680160E4F160CAB85E39836BEF1C5,SHA256=3457BF95B76D4672A38C57265B48226A8C4653652F2B7316337B9CFE3911C7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:20.716{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-022MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081304Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:20.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE21AB1BBE364E2D352FDD127EA35BCD,SHA256=C346C8A52D375DD57467749A8C6DF9CC7D677B727D165BE5540C341EADAA5A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:21.731{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1C6E7A4421BF9C8221B8484CEDDAE2,SHA256=0A99E51C501399AC052DD10122EF497BC35A375E86DD7DF015C9754F99500450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:21.730{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081305Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:21.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FEFAF02FB1D408D943ECB279C33CC0,SHA256=1B8BCE9E9B0A0DF52DFB3A1D2B9099C82F033F77C23E7DABFB90A601E3D62B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:22.779{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F0BDF03DFFDBFFDEBE6FDF51E8A325,SHA256=7077BDB3C00BE2F14B528D0E610F0B41AFC42621D73877444B7063451B7D406B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081307Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:20.639{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50020-false10.0.1.12-8000- 23542300x800000000000000081306Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:22.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CA2D332C068358D3013C7EA155E6EC,SHA256=0F650A099482E59A58FEC5A7C97DE31C5C2EB45B0361C555F7590513F943329F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:23.810{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61B8BD4F1779EFA4CE23AC312BC5B67,SHA256=112E08BDEF7B91F38B867F3F345AE6BA2F2C1A26E074F4601EBA0F3355AAFF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081308Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:23.164{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D83DA274688388095C589EA6961C80F,SHA256=4B475B114890B6B823996EE8AA37E5A92250F70DDDF92F8FDFDD31192D3D8A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:24.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993C2477BF0F885E615467F582ACA479,SHA256=DBA55011BA4F093D2821ECB4DF624F6DD0A7B11D36FA995F8F39A2C7157FC241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081309Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:24.180{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B1A157DB9D58A6B1C6771AE2C046A5,SHA256=9E29CF559131DBDA70439455297C40361D720A8FD8F65CF24529166231551B5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:23.297{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49521-false10.0.1.12-8000- 10341000x8000000000000000103462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-CA00-00000000FC01}4172C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-CA00-00000000FC01}4172C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49F16A8C24F8B885C119CABA2E8C653,SHA256=6418B6074FCDE1B63F6FCE7D6DCF63845B875E2E851147CC0B4153A3B3D48615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081310Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:25.242{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0A20DF3A70B931BE2E8BADAFF3B723,SHA256=56B5535A782FD85EDCD3C88E6105AC2FF089EDF23340BE517B50ECC230A0F015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081311Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:26.305{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE0BE46B217AF67AF75711392EE4EC0,SHA256=45DCEF86ED9B9A4DEC83246BBFA4FCEF56ADBEAF7F2F4656171147489D5A700A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:27.013{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE68BA600C80C8A7FFD55E398CBFB8F,SHA256=3B3530096EA6E9A27F800BA68392DD2F3FA575EC3B4577D35DD43BA69FA55963,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081313Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:25.701{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50021-false10.0.1.12-8000- 23542300x800000000000000081312Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:27.305{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0C525456CD15A1725D5BDB48B572FC,SHA256=91F0705DE8D798709C7C2DBCE84BB8A2DB485150750D3E42BD537028C20324B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:28.263{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE2023E2321B2D8681188EADE12DCF9,SHA256=881697B01D7124459745891AE861219F2C3F4A158BEE2A08EF6E07CA7550290C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081314Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:28.367{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AFC83C54CD690CF787E112789B63D5,SHA256=230A9C8E7ABB730DCCDBE24A299F17A103759F069D5596D0BBC37E1182F80C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:29.482{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16B67AA1A62F84A43092020AE9B1BC6,SHA256=97C6B9E926D834A3CC526D1BACDC6BF1A3682575CE1F23C98D881E165D3333ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081316Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:29.633{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081315Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:29.367{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079E2D4C57FD2D99725035AEDBA5D6CE,SHA256=047709718A25CB83A92448A54C83CA9D8400EC36389D084ED64548F54A92F5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:30.482{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ABA666310FE6289D17775500C9234D,SHA256=BC6D0E00220E4831FD85262B8311F5993D0AB07E0B1BBEA1C491D139F1833ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081317Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:30.383{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F478FC0667921B6EA9F93DC8AB9CE928,SHA256=35636AFFEE6745C05FE6154C068B124A095DA3A46D62F09BB53E4C304B30830A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:29.297{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49522-false10.0.1.12-8000- 23542300x8000000000000000103467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:31.498{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D5CBE17C0456CD7D4F220AEACCC4F3,SHA256=2E4F6A4B942AADB515D058EDB74722D327E288DCC10192E7297AB0C603BFB4F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081345Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B247-615A-4301-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081344Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081343Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081342Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081341Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081340Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081339Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081338Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081337Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081336Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081335Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B247-615A-4301-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081334Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B247-615A-4301-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081333Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.993{2FDD8D40-B247-615A-4301-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081332Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B247-615A-4201-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081331Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081330Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081329Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081328Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081327Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081326Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081325Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081324Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081323Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B247-615A-4201-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081322Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081321Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B247-615A-4201-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081320Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.493{2FDD8D40-B247-615A-4201-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081319Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03BBC9C1D94735E56BC1207CFF12077D,SHA256=04B2847209CDC58FBC868929F61091CAC753E5C886A57AB4A6D0A945C9FBF60D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081318Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:29.170{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50022-false10.0.1.12-8089- 23542300x8000000000000000103482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.498{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA9098C0882710A025C20117C8B0B19,SHA256=7579B75CD6CBB26BE77F8821AD5CBBC59CDF0D31DD106FF4B8C731AEE369D527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081349Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:32.711{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D8FC6F22B933492D8CE9C822BDED15,SHA256=149F73684244F6DA527F8D61DD9EB4FA7D6A603666A86CFE045439299E81F45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081348Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:32.711{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99938CB44E88747CF224886B336C5C34,SHA256=9B755D62DF532B645C721BDEB6B403CE7197EC087433F915151499F277A9B679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081347Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:32.711{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B91D1349A0D773BCAD0E870F357BC5,SHA256=E2434543F16E0746B89A15FFBC34C683671F57488A05A59D0879D850CE7DBB4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7F01-00000000FC01}6708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7D01-00000000FC01}6824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7B01-00000000FC01}6420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7D01-00000000FC01}6824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7F01-00000000FC01}6708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7B01-00000000FC01}6420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7A01-00000000FC01}7028C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7901-00000000FC01}4228C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7A01-00000000FC01}7028C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7901-00000000FC01}4228C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7801-00000000FC01}6240C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7801-00000000FC01}6240C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.029{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E16517D407C2BF99377479B4422BAEF3,SHA256=8732D534A4CEF855EE5E0FE23E4FCC779601A276424D171BB334FB21C6C3228B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081346Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:32.211{2FDD8D40-B247-615A-4301-00000000FD01}7843728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:33.888{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:33.529{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B96F00D135A8679A895228BCBA4006,SHA256=3098DAD7F6D3EE11CC67855FB444CFDE4DA31E6AEF85BA001F6EE1FF91DF17C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081363Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.758{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEE956349526E53C8DC3F4297D67A39,SHA256=230D69DD97CD0C7FE28EDCFF1E6D04C196B53C1AC16F8AF2900A7A90B99F8F95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081362Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B249-615A-4401-00000000FD01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081361Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081360Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081359Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081358Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081357Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081356Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081355Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081354Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081353Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081352Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B249-615A-4401-00000000FD01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081351Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B249-615A-4401-00000000FD01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081350Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-B249-615A-4401-00000000FD01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081380Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.961{2FDD8D40-B24A-615A-4501-00000000FD01}23001032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081379Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B24A-615A-4501-00000000FD01}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081378Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081377Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081376Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081375Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081374Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081373Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081372Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081371Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081370Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081369Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B24A-615A-4501-00000000FD01}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081368Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B24A-615A-4501-00000000FD01}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081367Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-B24A-615A-4501-00000000FD01}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081366Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.758{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9548BF999EA3965C5AC55A824501E3A9,SHA256=CC94BA9B6B7606947B4E03DB653A1B3E5367151E938936B23997074736A70699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:34.529{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394F7FF20FEE5E7C6B291A352569D4FA,SHA256=573C5EDC1030645A80DC0B76B56F22AAF9EB7940BBEC8F05F3304FDFB36FBC1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081365Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.669{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50023-false10.0.1.12-8000- 23542300x800000000000000081364Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.180{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D8FC6F22B933492D8CE9C822BDED15,SHA256=149F73684244F6DA527F8D61DD9EB4FA7D6A603666A86CFE045439299E81F45E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081395Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B24B-615A-4601-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081394Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081393Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081392Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081391Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081390Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081389Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081388Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081387Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081386Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081385Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B24B-615A-4601-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081384Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B24B-615A-4601-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081383Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.806{2FDD8D40-B24B-615A-4601-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081382Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.789{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C729355C1384E2667BD8E795EA7C3D2,SHA256=FA28F80AEF1ADCF89DD170C248DB2042666F247DF240073B84BBC4FAE5C925CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081381Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.758{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E4933F77DCEE23A86AF44A0168A2F7,SHA256=8C25D4BECBA126317EAE67A7BA8B99F30E2A6C9D461CEA053214B966F7FE6981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.529{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419D6E906A35F8CD83B187F2A5D21116,SHA256=302A26DAD7CFD7DB2186F2C7BBCD71BD218B30E1CF823A4A06393E511C106902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.466{58E9C193-ACA8-615A-1500-00000000FC01}11281436C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.435{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.435{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.435{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.435{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.420{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.404{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.404{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.404{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.404{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.388{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.388{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.388{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.388{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.357{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.357{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.341{58E9C193-B24B-615A-CB01-00000000FC01}7126888C:\Windows\system32\conhost.exe{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.326{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-AE68-615A-C800-00000000FC01}45483372C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x8000000000000000103486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.323{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000103515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:36.530{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B4B668EC27DB50480A409BE52C8F2F,SHA256=E08B85BB885D0ADEB81FC9231432068DB5AC28640330B47487E5DDF55B5E3A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081411Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.812{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=194D703A57CFB9C798EEEEF3E8631F61,SHA256=1FC860FB3E0430E1893C99E39E438A87A326EBFE34F1432EF0AE434C59E895BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081410Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.780{2FDD8D40-B24C-615A-4701-00000000FD01}10642568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081409Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B24C-615A-4701-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081408Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081407Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081406Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081405Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081404Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081403Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081402Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081401Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081400Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081399Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B24C-615A-4701-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081398Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B24C-615A-4701-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081397Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.609{2FDD8D40-B24C-615A-4701-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081396Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.015{2FDD8D40-B24B-615A-4601-00000000FD01}31283132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000103514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.344{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49523-false10.0.1.12-8000- 23542300x8000000000000000103513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:36.312{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AAC630B913DDCE7A21AA8A617543CC5,SHA256=133B5FAE1202EF733F56434730ECBB8EF239853505EFF786CCF4021FED92451C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:36.312{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EE82C23D2C4A78015C1B819221F3250,SHA256=2BA01E49DA9929721B936180E35A1B7D9F9B2B38C5600166E5FC651F77AFA91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:37.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850D71501095BB344AD4F15BBDC9ECD9,SHA256=D4DCD9A6C8D684787173073BCC39FE3FF4F31A96C533E5BA8C476D8277265434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081412Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:37.094{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5BC0DFDF09F73733327D2F3FC6287D,SHA256=DE77F974BDD0A162AA3FF1DA05457ADFA625882FA5389F83A48AF9EB01E883E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:38.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8811DD926CBB87944630E112AF771DC5,SHA256=ABDFD34EE1AAEB31712D78D0313AC41C68D589B1EEDF250EF0CE462CB1E1225A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081413Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:38.109{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4238B0F9FFD8254A8BF640E4D8348691,SHA256=622F26ED6EB94989968F3819A593F12AB8471FF0A6D6121AE239BB6B8762327A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:39.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619A77A4732120F483169C0D3312BEE6,SHA256=19393A00445F9257BAB11239AB86D009F7547F1E9C8D244C4DFC28BBF756E7E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081415Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:37.598{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50024-false10.0.1.12-8000- 23542300x800000000000000081414Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:39.109{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A22A9C73DAF6BC550245DC15EB9FFC0,SHA256=08781C3F9D039512B029B69A42751FD6F8AEF8D6D3C8CE33A4BEC7F7BF5F3681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:40.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163E9974918192B032E9DA3029503DD9,SHA256=023173DD6A4B7F37A360B0B856110DF5886C2EE255C94622C6E98108F70B5DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081416Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:40.109{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86065E45425416BB9453F19623CA6314,SHA256=1B3C7E1C5D84AA8F740DC40E6AA407E356CFBA4272EF434B50449087904C6317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:41.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB797BB352CB301B37E1A92C90E2ECF,SHA256=5F6F9145F4118BC6517328AC907F7E23E11CA44633E69599EDB5C7C5F70A0013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081417Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:41.109{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9893819F73D751DAAD83DA5A16E9970B,SHA256=BC43605CC8982CF018291A7D17BC4E6462B928674E7FF31FC1DD6D2C2030867D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:40.361{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49524-false10.0.1.12-8000- 23542300x8000000000000000103544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D88ABFBCC6ACAF269DBE5C93AEC81F0,SHA256=E1640785DBBAF14036FF8570308A22A7CE4A3BB09359ACC90AD1D15E23B246B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081418Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:42.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC979353BE73CDBF6A934906CFF9CDD8,SHA256=D179717E61472B007E8BE070B3F74B389B25E1BF302D883735030E20C59EC59B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.093{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.093{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-B24B-615A-CA01-00000000FC01}7802912C:\Windows\system32\cmd.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.042{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\System32\regsvr32.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEregsvr32 /?C:\Users\Administrator\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=8CF9086BE38A15E905924B4A45D814D9,SHA256=00A1CF85C6AB96DF38A4023F0CEE4DF60F62280768FC9C06A235E6D2D644169D,IMPHASH=1C8D7F52BBDAEF92EB0104CB6362D5D0{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000103547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:43.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6C3A062267D5853201F74E66432E66,SHA256=72F27F8D83E75C52843A223E1E6AEE36933B1A960E7211CC48D9BF624D7240F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081419Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:43.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25865E57D75463673939AC841CDA69F3,SHA256=7EF2B681EACB3EA870DEB0D0CB43716CEFF51B79A7816B7BA4E769F4732CBD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:43.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584884200421C4F8C3352F6FA3B487F2,SHA256=882A7A684C15B7A5FBA24ED9CCAC6AF472CDB2A7239F75F7530FC0E7D6F666BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:43.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AAC630B913DDCE7A21AA8A617543CC5,SHA256=133B5FAE1202EF733F56434730ECBB8EF239853505EFF786CCF4021FED92451C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:44.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2130EE7213A4F6903D4AC57D482333,SHA256=98D1E644F79690EB60D1FC4CDE4693265FE6E0D270D98CD771AA2C55DFDF76DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081420Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:44.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290A13A00DB220227E5E822ED650F852,SHA256=76817EAC4E6B46B0FD05948B0B3B6FC6F7CC2EDD1CF51FB59292247C73F5E182,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081422Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:42.755{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50025-false10.0.1.12-8000- 23542300x800000000000000081421Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:45.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863F0A3486DB8C661F2487CCFA20B88F,SHA256=29B91393452667BADDAF29488F00D733A455A4AB0DC9EF8BAC7895F64FF19BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:45.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6305FC7F308681CF31109521C0E9A3DB,SHA256=C5A27E1ECE86AF0A44DA97CF9E05164DE1E8D0BBBD2DEAA576A08B9650900144,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:45.377{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49525-false10.0.1.12-8000- 23542300x8000000000000000103550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:46.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD477BF6334CDB01C8EAFF6D3AF3CB33,SHA256=0274B0D0E3D68A2A53A4C0EEBC636B62F3C3DC9BCA77D82FD2FD133A5FAED4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081423Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:46.327{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B5DECABCF9EAFC0E1AA512145F74A3,SHA256=F2E76BC59D59A28FCAD4AA2F38E64CCB15F4A485F59ED92F2D7FDE77E4131D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:47.608{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE374276B78793023BD5B6BF121EB34,SHA256=1FD18FDD970F23DCD458EEBC794A46F4D043659EA2C728CEAB5F2B6186EC9664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081424Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:47.343{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BB63DDC593E04C9616FB62C787E1D0,SHA256=0A45F50CB9E254DFA619856CFCDD1B1C396C1F5D19C74C11F55D800A590A6CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:48.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F49EB7549E1F5BA6A9BB85DF71DAD0E,SHA256=2139D1837A46D875AE9F3F5CA707FF6FB6068468B6B27FBC75BE390139B069DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081425Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:48.437{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAD9F6897FBADD0760373A1FBC41112,SHA256=718B070D78377DEA20238A593C8463D65FF9BD11CE53B0354FBA35FCA2019168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081426Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:49.499{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631512A8019255E8285CF00A7F3FB3A3,SHA256=E2F0E97A712F0C558F3695C961DC7501F83577FBBAC66AB2C72CC7E32B6F005D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:49.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470DAFAE0214DBA5787632A09054A795,SHA256=7FE83E43C04B1755E7429C3887BCA2B1479B663AE74B93DBB37D8093A8C50420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081427Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:50.515{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3805BCDD42316720F5E384B0B1AA5869,SHA256=DCD9B365D69162E7C70EB14C3D7E188E3144A2672782DDEC09595356C55900AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:50.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1C5AE0390A219504B40BBA31D5910C,SHA256=761F4CA47485D02BAE291E503E7B66A18FDAD46243359AD791F8BEAF09D1CBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:51.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66572FFD87E1AD15770AA2236E937A05,SHA256=F752FB7529E9EBDC71DF02C89E9DC078E4AC5BB5BD2B7F62F0AEA823BB6F3BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081429Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:51.515{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC818DDE9B07F7288CF6BB5BCFC052D6,SHA256=7DEEA125857C4F071A4FA7DD4CEF50EC95E3CA2F478AB2A4E4D3BE7EC2364CE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081428Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:48.708{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50026-false10.0.1.12-8000- 354300x8000000000000000103565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:51.408{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49526-false10.0.1.12-8000- 23542300x8000000000000000103564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.671{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811F221549320CA57D98E06E2EB16B7B,SHA256=C862DBF94835A3BB2DA856914E1B58D99FBD184B31F877F4DBC1212CA3D19866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081430Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:52.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4697F8994A3AB2BE25A1AB7A9A1491AE,SHA256=15C2C1B61A52655F46475534C160D3463137734FAE26A6987E703EE70262CD48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:53.671{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF548CBF701B1325EE015DF8DF7F37B,SHA256=7CA04FE8A486B6BA663E33B8A593DCCCC182DFBC0B4DD854EF51F34E6A19E244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081431Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:53.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD7EC865C685CC3BD4D7FD1BD531A8C,SHA256=A61B14076EF89F69D69D7B38630A3641D682BA6051838F281E78069A77598784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081432Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:54.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3547CAB330264AEDDB1051FD10BC88C8,SHA256=76DDD35A8595258D17C257E1FB9E42E652F6315F129AB73105FDAAFF3283E4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:54.702{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6B79E380580791DBA78DAB8BF628DC,SHA256=E07CDA9581C133E60A047997E811A4B7D4B8D75C88EC9803D786315F1AEF3E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:55.718{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669367C3DD52EB3747CD25B37C53A0D3,SHA256=455A66A51E53AC4DDE31EF6F5E8CA6F5A11CCBA3C808954CCA80359B7B2D4CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081433Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:55.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918D724620A8467C299452726EB05A35,SHA256=D8751E9C1A98E510D5816BA6ED010E56E8A4F3836726B017EB10501E43ABA6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:56.832{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:56.738{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB038239279A5DAEA8831572E20F0B44,SHA256=0D2E72A3FF9F0803A5B5A1036A4AB6D2C8AF3D09484F251A28499DBC98E7A715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081435Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:56.617{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-023MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081434Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:56.617{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9E8C615D2E3842C03765AA39C3C1EF,SHA256=C72184A4A7A6A8EE631DA8FA49C6FF65627F546C21474DBE47EF92CA72AB628B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:56.475{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49527-false10.0.1.12-8000- 23542300x8000000000000000103571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:57.738{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049727D1C7E511426A8A1144F6468FF2,SHA256=3271DE8BA69BFF0DDC773CC00CE53E8416210320D6680F80C57FDD59B277272D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081438Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:54.583{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50027-false10.0.1.12-8000- 23542300x800000000000000081437Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:57.635{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3DA28A9946AFF83F16EEFF7BE3E304,SHA256=E27FF912DF13E4071980F30597FD80040ED3265EEF7FC0E18027EC4DF6A6A7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081436Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:57.631{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081452Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B262-615A-4801-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081451Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081450Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081449Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081448Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081447Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081446Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081445Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081444Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081443Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081442Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B262-615A-4801-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081441Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B262-615A-4801-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081440Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.974{2FDD8D40-B262-615A-4801-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081439Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.708{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A507EC01622CA22F1075EC0EBF2F6D82,SHA256=6BF05664C37E721392397713BFD587D78580C37BB69A0B7E74C22A231FB3B2C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:57.054{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49528-false10.0.1.12-8089- 23542300x8000000000000000103581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.769{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE56C9DFE9EC2CFF27C95BAECF8915C5,SHA256=332F314B7B08EC08B55E6B1F3A40E16D30B9DB309DA2E0FFA6DDB0534D6295FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B262-615A-CD01-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B262-615A-CD01-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B262-615A-CD01-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.661{58E9C193-B262-615A-CD01-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081455Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:59.973{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDD8B47AA9B4F5C692E1D556953BDF2,SHA256=2D9C9640A007AB0B4213813991EDD5EF9BB42275F2D1ECBF493DCE479FF7527A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081454Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:59.973{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59DE8C1E6C626759FE7A7853248B9F88,SHA256=0A2E4077DB7A9C824B26E54DAB47E28FE8BF7FB5D1430C6E60B0BC1F08120D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081453Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:59.848{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4C280CA324255D04CD03AF8599B107,SHA256=FC569BA8B35188F27BA98AE95BEB92AC983EED79A47941F05D1062CB46E9CE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.256{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49529-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.256{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49529-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000103594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.816{58E9C193-B263-615A-CE01-00000000FC01}44804196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.785{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10DC16641AD56B24903E426CE7D5627,SHA256=EC7E73FCCBCAD8EF66D46A95FCB451FBA6CCECEF47AEEF88EE1E7C1F593C0B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B263-615A-CE01-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B263-615A-CE01-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B263-615A-CE01-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.598{58E9C193-B263-615A-CE01-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.051{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62A5A52F95CA91BF51544EB1CC5CDF1,SHA256=DC8E781785A070EA2F3CBEF860CAA910F624809587ADBD774D4AF1D159BE4F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.051{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584884200421C4F8C3352F6FA3B487F2,SHA256=882A7A684C15B7A5FBA24ED9CCAC6AF472CDB2A7239F75F7530FC0E7D6F666BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081456Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:00.880{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F93E513EB1B552614078ABA4F7C041,SHA256=F07710CEAAA803FC0CE613045F00FB83E2B114ABF0ACA92971BFF15017B6146D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.847{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6666480A76E78CA3DA2B924370048721,SHA256=58389E79330B2CBD39B1FAD36CEB63B2AEDFC7C1597356204E7D5BF18477D722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.644{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62A5A52F95CA91BF51544EB1CC5CDF1,SHA256=DC8E781785A070EA2F3CBEF860CAA910F624809587ADBD774D4AF1D159BE4F9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B264-615A-CF01-00000000FC01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B264-615A-CF01-00000000FC01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B264-615A-CF01-00000000FC01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.520{58E9C193-B264-615A-CF01-00000000FC01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081457Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:01.911{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2616E9EED90258E65EB62C4EA4FB33A,SHA256=F23D9A899D462D0227B15D05165547B3B059ABB79CB379B8DD65C7F2A03B4B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:01.864{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E540B9ED919E94E276E181133EF106D5,SHA256=DCC1D7CB937DD6A97745D4A17A62EDD94FD217BAF885518ED33C56C7665B8122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.879{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0788010008CB83515631A1D5F91DFDD,SHA256=DB6A4CFE5DE06DFE358E7D7E2E8E2C1BE439E6A28D14D0C24C009FFFFB982635,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081458Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:59.776{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50028-false10.0.1.12-8000- 10341000x8000000000000000103616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.488{58E9C193-B266-615A-D001-00000000FC01}52484332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B266-615A-D001-00000000FC01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B266-615A-D001-00000000FC01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B266-615A-D001-00000000FC01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.255{58E9C193-B266-615A-D001-00000000FC01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.989{58E9C193-B267-615A-D201-00000000FC01}65166312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000103637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.303{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49530-false10.0.1.12-8000- 23542300x8000000000000000103636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.879{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2EF3912AAA8C86D12BED574FB86E15,SHA256=88B2E044404025BB6A3D1405453C63A71CEA7D287BFED3799C6D7CBD4513F2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081459Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:03.145{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4079F3B680EF2EE109C772316EC62332,SHA256=2AFAF228AE9F3A6199BA0EAE96CC1B305C6F39FCF9164C1A3D0E2045020FED7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B267-615A-D201-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B267-615A-D201-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B267-615A-D201-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.771{58E9C193-B267-615A-D201-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.551{58E9C193-B267-615A-D101-00000000FC01}69844944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B267-615A-D101-00000000FC01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B267-615A-D101-00000000FC01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B267-615A-D101-00000000FC01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.270{58E9C193-B267-615A-D101-00000000FC01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.254{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3518CEA86CBF733797BE2BB4B47B4E52,SHA256=CAE2737A00442036822103DB9C870E4F8BC30FCAAFC5F35257491A9E4305F914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:04.913{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2315A5A97C140966AB9F6FB6637FBF9E,SHA256=1B5619A9CBAE8DD80E8CBFF4CEB4139B57F825162B418CF6867B45896B966C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081460Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:04.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA9D2467D7369F4E3E2590B0EAE721C,SHA256=FBE6176458B0092386D9220E629D477094A942272CA1F1EC1843D09BEC67F0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:04.506{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79A0D6C3DC25A18B7D2583C59FC09E65,SHA256=6F6C93C2375E4B2E98698D4BF6B7B5946CA49C982776C0ACF1DCE5794C1671FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.913{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D716783A93C7B02FDAE9390CF798A3B4,SHA256=563AC86CCE9629A7D66995874E123EF455063CB4824E851D6D231969BF06ECE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081461Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:05.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EE219167F71EA9C3CF12B72BA95562,SHA256=05C0C5EA6151411FBB2232BC50B078F42266DD178F3466C0D26DAF34B40E3D47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B269-615A-D301-00000000FC01}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B269-615A-D301-00000000FC01}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B269-615A-D301-00000000FC01}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.445{58E9C193-B269-615A-D301-00000000FC01}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:06.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156FB73CE969BFFF9132879FBC276FB0,SHA256=F4593BDDB20905D98E220E2FC3169CFC89204B0359A2CEF136103220DA18BCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081462Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:06.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D521BB8790A9EC9379F514E288D6D2B,SHA256=A1AAD5DD6D5775460EE6E465E969F539E30F8FB2067788CF66AC6F17BBB6A677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:06.663{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=682FA29F4B557C9F435FA709F5CE2248,SHA256=7F2E4320954587DF44F281C2D32834A52CC40CE8F3C8EB109BBD536D55FE2945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:07.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C8EFADC0EC49B5368104775A7CEE59,SHA256=B77D5D69A7A00B4D484EB17016EE52A8EB619C108983774D8868C3C97B5043B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081464Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:04.780{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50029-false10.0.1.12-8000- 23542300x800000000000000081463Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:07.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328B550408C60CD576CE6ACCA6AD5422,SHA256=EAA2A837E17F8A1334041F3A42ED873DC03A49C0739542FBBBD21E61C3EBBAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:08.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3D49FDDB70028354207A407A95A847,SHA256=132FC81D17F3EFAFD3BC37F1647E9B8A7708E5CA721AB744E183113D5969C213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081465Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:08.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20392BFDC2C5B4020436D444E7BD3BF6,SHA256=3688BBCF186571EFF453ECD2107B99828A582B70C5863690C8F66B28AC4788AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:09.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E285900B0D7E8CB3BB61D05FC8576F,SHA256=C32C5AC1CB7DA7E288ED72CC72868866E1BE9F66B46F130F13BBD0A68FD82652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081466Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:09.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A329CFA584469F67AE79C82A1E7A784D,SHA256=ED5A7FD3512331E8432445A45E08D3CFAC3DCF80FD345593407CA54F88307719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:10.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8A008E7530D2F71B62E655DE2E7547,SHA256=0021952B3B71E37FCB47389C0DE229EB5C84915D92E11BFB2B3C0E10BCC578FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081467Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:10.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF13119F046DA09BAE6B5960FF07585A,SHA256=F9ECA21294A0AD01EB25B60E145F345CDE30FC232C1CE3EE3A46738455B5E6C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:08.272{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49531-false10.0.1.12-8000- 23542300x8000000000000000103657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:11.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78F85B9A59CAF9AF713E4113AC2A3A4,SHA256=9F396655083B4291269D238B1EDCAB69DBB9C8AC66DC91F820F80735C018A1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081468Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:11.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE4A599C6006F2BAF7A83BFB106ED4D,SHA256=3A14631EA607C1608813932C47232767918B3F6A9DE3D446F3EEE0C9C1A82255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:12.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA64C37866B9A93DEF45DE3CD6DB6B1,SHA256=E7D372D43074F8DE2ACE6ED0081AE90D4C43BFFFBAE15B3530D746CFF92FD086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081469Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:12.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FBEDB53E7B943DEBB2941548A46A09,SHA256=3BD012A52239A9DC05A20763E840991FE7264D31E5289558F0328BEA5540909A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:13.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B482EEC1816DE7D670875205F1F8AACC,SHA256=F1AD887CDFFD481BF08FFAFAEE3B3F2C123BC50288674D93EE97385EFA6B4DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081471Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:10.745{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50030-false10.0.1.12-8000- 23542300x800000000000000081470Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:13.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE7F116D19B2D9FB425B09862895E95,SHA256=52CF100DE4CD32877BD7F1E57E29F19E76D4AD62E737B82E8290C4FCEABDB598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:14.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23EA3052F4E54D8FCCCE2A5C1CDAA9E,SHA256=309F6BBF824D79FC47519174077BB4F73DAB5072DC1B73091388E4A9C65EC975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081472Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:14.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2390CE85E8EBAF2F3B932F64186CDE8,SHA256=4599FEA5A0D85287E62B711589849C57B9138409F0FF7FF3955EA58BA5BA52F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:15.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF36E3E00E6F56B804E7948AB2DAC93,SHA256=4C9E5DF26F95C477C36153C3D8738C476C295AD46E737F7CA2E50DA631FA527D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081473Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:15.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9444F247D4BD9C616B9E994C2C011ED6,SHA256=EDA2CCD11FBA41D0D3D1967451A5FE176E389FFD4204E15336864147096087AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:13.491{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49532-false10.0.1.12-8000- 23542300x8000000000000000103663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:16.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A15DCDFB7C0D1145FDE66FAB965817,SHA256=9E2FC14059F01D641D704ABEFBFEE359252E98F3AC9062C7E7A339CAFBE6DF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081474Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:16.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8797140C3E96CC291CBD23256E159053,SHA256=11C0E6172AC09674800D0C0B50A8568343828A93DF2FA05BA788838EFFD39BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:17.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C659AF6AFB9725013CB1BE714536ACC,SHA256=6D8670B09F41B3708502A6DC07C7C899E65F76919C0D3646E6A4E2D9B031D86E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081476Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:15.755{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50031-false10.0.1.12-8000- 23542300x800000000000000081475Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:17.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6227260DF054F4ADD5D2B0E25C96DACF,SHA256=B561F3511DB49B9FD9F33E1C05D7E3AAC2DB4B692ED1E0ECFE758D2CE0464690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:18.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DDACC37B7C6445EE0683E4EBE6E136,SHA256=10BF6749083A5B8EF148A6D9BD0AE18F06A0014870BD8C295978AE5A712181EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081478Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:18.984{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CD37999D6E5838C8D6D45511BE48D248,SHA256=38BC0E69474EE8AB97196541AE1217BA3C22DAB954E21448997683A532C58ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081477Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:18.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C70FC7184E2012A4BF00CDCB820614,SHA256=BA371CC340CAF60286EA31788B8B0C5FEB70CCDCC0D89D532E21FD2D0B6A39BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:19.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCEBEC883F77526283D435237B214C2,SHA256=259D959ED668CC7D6A73D0B8F20570F2F8D2F5E57CCD1CBAE7480A1562F8D589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081479Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:19.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B92050D91DF7771FE6628C001DC60E2,SHA256=E720F2B9EE8596CAA1731A8AE541A0506E4D669D694E73B1A041A48116BD5D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:20.943{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFD7BF64D08A825BDA74536CC2C036D,SHA256=C499B7BBF05A9163DF50077353E8713AB4F6D677D8FD6517BB6B4AD686133186,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081490Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000081489Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00178aac) 13241300x800000000000000081488Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0x3ca2af20) 13241300x800000000000000081487Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0x9e671720) 13241300x800000000000000081486Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0x002b7f20) 13241300x800000000000000081485Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000081484Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00178aac) 13241300x800000000000000081483Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0x3ca2af20) 13241300x800000000000000081482Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0x9e671720) 13241300x800000000000000081481Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0x002b7f20) 23542300x800000000000000081480Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:20.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D6579B938D6466E7F7428E4757D97A,SHA256=0F5D0E3D3A10E6278C7BF845FD85F25FACFBAD1780A23C9254BD6121183B29CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:19.348{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49533-false10.0.1.12-8000- 23542300x8000000000000000103669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:21.958{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92EBD310FE18EFA76D835C83B4F61A0,SHA256=D70ACB6256ED5751323A2E4CBAA51E74ECC2633996655AD40FFDA8287366E485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081491Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.219{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCC2CBB0C0952992FD39714821CF735,SHA256=C5693E9D84F3D60A6CC281761769CC32CD27EE75F69BC9FF60E8E466199C5E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:22.966{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B8B7F8E44DF8B46A1C8941CEC67A39,SHA256=0A97A38430CCA31121AC4365B297C8069C3F8A7540962AAEC823941249EA5AFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081496Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.310{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50035-false169.254.169.254-80http 354300x800000000000000081495Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.198{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50034-false169.254.169.254-80http 354300x800000000000000081494Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.164{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50033-false169.254.169.254-80http 354300x800000000000000081493Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.163{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50032-false169.254.169.254-80http 23542300x800000000000000081492Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:22.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71843618949B4E310F9EF579F7B24443,SHA256=F2223B0B02DD5E35132D49BF22FFA739DD86A08254D455F4C5A95FD62F48DD8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:22.258{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-023MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:23.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12929872D0BBA482BFE1D59E28D0DA57,SHA256=1E607F47370E6BCE3E339D7FBF5550E7CB2534EC870499D9ED4948BB17C35AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081497Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:23.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C179EC0358B3B1914DA5F756CCC654,SHA256=99C1D7EC2DDD56CFDEC7FDB12E259BA32F3CB4BFD453EE35C7D22B8D65B5AAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:23.264{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:24.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EE48682B63AEA1F7DCB813E8A49D2C,SHA256=86B8C0BA7F5790CAA7EDD8E42F4BCCBB8813C608DAD555EE46055D1972ED38B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081499Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:24.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34EE9E1B84AAE5458EA8C9345217E24,SHA256=02AFD8AD822408DB8BCA833F21381B2FD8D1F45A69DB2B444B3896D591AE446D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081498Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.703{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50036-false10.0.1.12-8000- 23542300x8000000000000000103675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:25.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169CC4041767B9E56F7BE0D53336766F,SHA256=215EC687D36CA4B6866F1072B8CFEA11A5BFE6D8285B36424DD282783E6395C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081500Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:25.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4BEF7C7932FBF675BE34F4F0D2B675,SHA256=E094E534DD9B98037454979AAB2B52CF3F51D977CA52395DD51BE60C187A1156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:26.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A15A2B73C644A59C72E577B2F66598C,SHA256=84F53D26F4FF2005AE1A503F89A83BF1EDA4276F8E7DA2F10D90187BBDF71A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081501Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:26.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B3FC226863E83CFD41DE2994449D88,SHA256=A8746767DC3F735396ED9F70A334F52FFE3E0477CC3D25478A2210BFEF58096E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:27.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82DFF5E5D7F643F8394F8A9401E7967,SHA256=05F5A4396086A26E89AD6F3C65DAED6FF9387ECCE62F15B9C671FD46D73F397D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081502Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:27.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5FF76ED8FEC258F3AF3D4F74D52E49,SHA256=20A99560AF2E8E515E1E7884842040F6566C736D358737F786ECE37818F29428,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:25.314{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49534-false10.0.1.12-8000- 23542300x8000000000000000103679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:28.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E299183A2FD6044EC5611AF86986468,SHA256=584A3FA833D515DD92AB4E3185E2C7774C8C68437F8E6694DFD74B103D2A6148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081503Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:28.245{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE3F2C949CBE4F7320ABBB6A01FA326,SHA256=D4C6AAE81141825FBC839C643CB0EFE375CE34B9A591E74AD2748960F1C990EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:29.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF2519070D60F8D24F19DA4A84C051D,SHA256=A353EC5FD843E45A61D8A3CE428417FD9E9AF997CD9E88B13801B13B743A60D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081505Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:29.651{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081504Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:29.245{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5DA99B5CF22A815BDE3FEEEA428A2E,SHA256=1CA340899A6E58D642CC5F92192B84AA8C2F75BD86A5C8B4017F5BF86C4BF526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:30.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C9ECC4530D895618B504D3A5617F5B,SHA256=F6EB5230635EBA748F5B41A6A1A20F80242FF86CBF9A597611DED001D6B8F93E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081507Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:27.703{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50037-false10.0.1.12-8000- 23542300x800000000000000081506Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:30.245{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4DE021208E17E00128E9B06F3B4ADA,SHA256=B9E9D57D92BD82319C054035ABA251A45B09FA3990D63860027646C6568F8C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:31.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40A00B2B974649A72CBE7C74A74729A,SHA256=54E71685CB57E2B47F3E9C8841C40F5F523285AB694E8B7FC298CA3578830267,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081522Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:29.188{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50038-false10.0.1.12-8089- 10341000x800000000000000081521Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B283-615A-4901-00000000FD01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081520Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081519Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081518Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081517Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081516Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081515Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081514Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081513Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081512Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081511Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B283-615A-4901-00000000FD01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081510Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B283-615A-4901-00000000FD01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081509Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.496{2FDD8D40-B283-615A-4901-00000000FD01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081508Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.245{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEAA040C44E5A7B297DCE2D339B4B5B4,SHA256=3A8AA1578A58CB47B343C13BAE1E029B6485EE7FA15A0ABD8CC4E8E01393347C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:32.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFE330A2CE439776EE93483E477461F,SHA256=350B08B0BA32D89BFD7E9E083E74787A76BF401006AD66B335793A2ACDD5FBDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081539Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A9D9841FDEA32596CC4799DE416160,SHA256=51F054D4F90FB7E3253AEFF687785E9C6A350828C330EFAD9CC5E53A8EB90696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081538Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDD8B47AA9B4F5C692E1D556953BDF2,SHA256=2D9C9640A007AB0B4213813991EDD5EF9BB42275F2D1ECBF493DCE479FF7527A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081537Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.448{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D3B40E9E2C79C8EF88D43CB1CC628D,SHA256=421DC5ED78BAB25DDDA31515EA0FD21B14B3298DBB8CF7868481641957D6D21D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081536Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.323{2FDD8D40-B284-615A-4A01-00000000FD01}14001416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000103684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:31.329{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49535-false10.0.1.12-8000- 23542300x8000000000000000103683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:32.032{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9D8F09E033D99A67C38DDEF908F0C591,SHA256=A6F8F6AC50B64A3260513C258769C2606CE3BB86C2048FBBF09BDF4D72F8BA6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081535Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B284-615A-4A01-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081534Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081533Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081532Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081531Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081530Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081529Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081528Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081527Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081526Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081525Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B284-615A-4A01-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081524Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B284-615A-4A01-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081523Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-B284-615A-4A01-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:33.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA0CC7BD76CD504C2009CAFABAD76C1,SHA256=9EEB1C0F0A94D8BF91191ADFA195639506FD8532468461E286C054B725F4EFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081553Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4ACA3B5E43C719BB3EF6B7A325EAE94,SHA256=EB075B93DA242C546E6A7FCA97F00F0949A1C6502EDC4BC6F5A21B8065CA817A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:33.860{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:33.860{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081552Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B285-615A-4B01-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081551Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081550Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081549Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081548Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081547Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081546Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081545Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081544Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081543Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081542Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B285-615A-4B01-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081541Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B285-615A-4B01-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081540Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.152{2FDD8D40-B285-615A-4B01-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081569Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.932{2FDD8D40-B286-615A-4C01-00000000FD01}32282648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081568Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B286-615A-4C01-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081567Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081566Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081565Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081564Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081563Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081562Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081561Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081560Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081559Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081558Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B286-615A-4C01-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081557Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B286-615A-4C01-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081556Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.777{2FDD8D40-B286-615A-4C01-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081555Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.448{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8C981D4B8FDB2474F21A9BD8AA8D2D,SHA256=CB9B3E4B9C385BCC22069DE42E4242BD1C8B5256CBB6C86E68CD610740AAC535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081554Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.198{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A9D9841FDEA32596CC4799DE416160,SHA256=51F054D4F90FB7E3253AEFF687785E9C6A350828C330EFAD9CC5E53A8EB90696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081585Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.988{2FDD8D40-B287-615A-4D01-00000000FD01}2516696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081584Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B287-615A-4D01-00000000FD01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081583Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081582Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081581Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081580Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081579Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081578Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081577Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081576Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081575Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081574Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B287-615A-4D01-00000000FD01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081573Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B287-615A-4D01-00000000FD01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081572Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.824{2FDD8D40-B287-615A-4D01-00000000FD01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081571Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.657{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50039-false10.0.1.12-8000- 23542300x800000000000000081570Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD221E05404A55324BF9A412C75AFE78,SHA256=4B52D4E3A243944ADD7D9FD13E60FC4A9039BC49D358D24DB08EDC9C4B83F4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:35.001{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B40E1BD045138316FBF4F788CE123DE,SHA256=84E1DFD7C36017C27D06742C5E111D9514C5FD900300C7CAD1D596AF5A46643E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081601Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.863{2FDD8D40-B288-615A-4E01-00000000FD01}40283076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081600Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B288-615A-4E01-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081599Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081598Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081597Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081596Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081595Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081594Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081593Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081592Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081591Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081590Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B288-615A-4E01-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081589Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B288-615A-4E01-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081588Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.615{2FDD8D40-B288-615A-4E01-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081587Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.567{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE724DF4602916213768C16D121422C,SHA256=9EE54FD0B4A3B8D20759F9F167ED52F1B129FA2537239F33CD2BF4763B4CEBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:36.023{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593C5B9BCD55D90156C823D6A0BB64D8,SHA256=C875D3B5ADF235C01F4C3A1EF9452C5E665B3FFF3377ABF2A88CE0E5CA51B7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081586Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.020{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCBBB1DB0C8D2764C3027B8D0244BBA5,SHA256=59FA31BA899F6AC2B4AF852CBBC1E2E50BE4DCB2DEBCED06305685A0859E74D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081603Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:37.707{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5540938CE40C0FE5BB8E8ED4C53874BC,SHA256=46222A64C10A80DC10C61AC6203927493D00C4D670EFC01AD9916661022FE453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:37.023{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D35178D3C2424B89B630BDB62A88134,SHA256=DC542A5F3AA1982E54DE97EAD088ECE5B2AF3A8D333C4CC82935111CF3A85C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081602Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:37.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76B5A4BF35A8BBD09DAD7C8E8E3470BF,SHA256=60653BC74323B2E1367E1CAD1A261637C2D486CC3538A2357650262DE5F1E413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081604Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:38.926{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FDAD1718DE0E4F14C589F53DBFBD0E,SHA256=127C29CF59C3D29462B82AA0DEA0B7F25B71B5264AA3478C2A1D7DCD8271FD8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:36.352{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49536-false10.0.1.12-8000- 23542300x8000000000000000103692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:38.023{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4736ECF97A882DBBF61A8311E23EFB07,SHA256=BECE9BCF680D840AB94AD8907A3E149B76AA51F0856ED2394D48A723B98DCF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081605Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:39.942{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE00DC6561DD3E917225BEEBD93E0C22,SHA256=FFA76FD27DC55E8F1C06DD719C944BB11E65549806CC3764FF19A57444851044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:39.038{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC6F23903032DE5DDCEF68ACC8527A7,SHA256=160B4DE233ADEF65E7E67080B63E79FD7DFE661A50CEE49459A60E800CA44B43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B124-615A-A401-00000000FC01}6036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B124-615A-A301-00000000FC01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B124-615A-A401-00000000FC01}6036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B124-615A-A301-00000000FC01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-9F01-00000000FC01}5924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-A201-00000000FC01}6736C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-A101-00000000FC01}3528C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-A201-00000000FC01}6736C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-A101-00000000FC01}3528C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-9F01-00000000FC01}5924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-9E01-00000000FC01}6592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-9E01-00000000FC01}6592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.085{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF3D9B0E30A2B2BF0DF41B007A6CCF1,SHA256=FCAF0996E5475DA66B25BA4073B89DDD76249B004BF77FEA45F6FDF23F1D95CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081606Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:41.020{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7378DF639E120A27DD485653656992,SHA256=053596724DBBEEA962DEFCFEB4027CED6454362A9029F91AFEA4DC9CC0982BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:41.132{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996A8AE60A71F849DD5F630BC521E23C,SHA256=18781B50E7064B7F2F0BF2AD4E92CE7068486D7A7239C45DE6D8BBAD7184F404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081608Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:42.160{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BE392F51ADD636E87570F5B0EEA8A7,SHA256=7AE785345EC31628304ED93D6E113BC808FC7D82B90893621189E80228BA2AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:41.367{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49537-false10.0.1.12-8000- 23542300x8000000000000000103709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:42.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FA5D8110719601F44368ABCE2F60B5,SHA256=8B611D1CFF70DF3DC18295475C7632AEACA9D7574A9FFB4FFC67233794D19F70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081607Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:39.682{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50040-false10.0.1.12-8000- 23542300x800000000000000081609Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:43.160{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C447D3E30A9E829B8FB9D399B12F3518,SHA256=6912F69320AA2B4748939B944AFA5D975F77CF7B4D6F623284C5F3923C1092E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:43.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD672B5982A08ADA47A472940C8B7D87,SHA256=7D453D4F4251D26CD1BA0D4206446EA39A9A1720B4BA67AD2574BBA3E4270386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081610Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:44.160{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB64CF63D3DCD027E6879DBF5906DCD,SHA256=C4B6734F31A43B46135FDD1F06420A6A9E39958019A50DBC2BD918E2EF179CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:44.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F8B3D09DCBFEB574484F18BB706B6A,SHA256=260B8D215B1EDF65630197B0BDA29ABADF2AB1ABEC4BC63426137A9E6AD1F8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081611Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:45.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C43A2AB360D3CB4CED5A351C7876DF,SHA256=CEAD9E2A2B9900316C019E98F730DB026935D26DB789D6B8135BE6E92C454830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:45.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E9892EE3F9AA0A85284B4CE9268E67,SHA256=D5021F7720A8CA5DD062051487535138680CEBECC90CA2AB678D66E836DD101D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081612Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:46.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731DAA5B422AA75454EA78410752C9DF,SHA256=5CBED4114FFA7E0053755CA146899D3BB93C85CC23EBCECFDAE53167882B5A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:46.179{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B5DE48D1D77D1E1C737B21E169B3F7,SHA256=0BE513487953D8291EAC33EFD3A5394497D66BF6E3A58957463FEF87F71EC695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081613Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:47.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F044573C46C70556EBF9978CDD6186F6,SHA256=7763AD6F2872E1D98A2AFDDC59B0400AFE80CC280C89B9C85A5B231C5318BC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.183{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA881CCAE69181B83CD2E3C6C2108A34,SHA256=3243EF023B98FD337625A7BB26B0A1DE1B95ED5E753865465C6B53A9F16A4C56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081615Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:45.651{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50041-false10.0.1.12-8000- 23542300x800000000000000081614Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:48.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BA505BD6A789C31F60672A9237D6A1,SHA256=D54D571186D516D801D418C85C9911E28C322C2FEF42EFF5FC1D99D07FFE0BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:48.192{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E05D16B579536195F326B855011E000,SHA256=A7CD9CEC63BC554C4BB2077423139A5C53D66D53B40BF97671BD455C965312D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081616Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:49.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F52BA1E2B7F51FF262C9F6AF2ABD69,SHA256=1657D8CB4B8BCC045315D050AF72705DA8AF5A3515583136A8F11B4862043FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:49.192{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B227BA749D46702B17E10B348A367CD,SHA256=D25960C091A2C81A6D39FA192EE1989A609D9139E39FCF0A941D93A6B347CC45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.503{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49542-false169.254.169.254-80http 354300x8000000000000000103720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.439{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49541-false169.254.169.254-80http 354300x8000000000000000103719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.385{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49540-false169.254.169.254-80http 354300x8000000000000000103718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.384{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49539-false169.254.169.254-80http 354300x8000000000000000103717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.322{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49538-false10.0.1.12-8000- 23542300x800000000000000081617Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:50.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EAA2013FC90251EAEE1C2F66F2E891,SHA256=D965DB7EA2C3E0557B56415025406FB5D95105CEBC4FA32E102D09A6BEB77B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:50.223{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1B6413AC7A86B894494EE764013B27,SHA256=C6F8490600CDCFA4655ABEDC13A50781A539560BA4A303D8A7BA6655AC6E338C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081618Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:51.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1C420F6DBA8A1E5314CC7BFD8B2213,SHA256=B365E4B45F8AFCD58C4593F6CE6CCA024A96F24351B6927729C21763D012CB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:51.457{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E18A786CEBDC551479F4D08883DD772,SHA256=712FC459E349B3FC350AE7E6BD3DA370E0CC2B5528E577C6F5175AD5EE0C8CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:52.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC97F6668919D34E3D76F4DD4C437F8,SHA256=B5B6ADF3731B0E6B636398A913CE5E971E4D4CBB40D0298111CE8EA43B298101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081620Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:52.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B530F475ABA2FD9714B67C779727103A,SHA256=A0163739D9EA338E08AFFD48E4C25415C65E1BCF4D6DBAD3408E21A4E6169736,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081619Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:52.082{2FDD8D40-AC99-615A-0D00-00000000FD01}7882532C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1600-00000000FD01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000103725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:51:52.082{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0xb1897dff) 23542300x8000000000000000103727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:53.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C17BE7490138D93153AD0F0317EE3B0,SHA256=DAB39287E661BBBC154057FB64007BF4A9D8FD35FBD248DF6ADC20FFEB76D265,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081622Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:51.588{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50042-false10.0.1.12-8000- 23542300x800000000000000081621Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:53.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052E10FCB78E75ECDFDC6EE41E2D56DF,SHA256=CD5763A23C9C852402A9F5D1CB6F97A9E3D27FB1049591F5361557A4ACD15345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081623Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:54.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733ED40F38528DB70CC5FCF141F7792C,SHA256=BC965C7C7596513410ED13BE12EA01C49AAD037E58540734A574A21ED5B15142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:54.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241CA7BB20A22E2D4256AA7042941EB8,SHA256=5B618D7A2D4C52612E2A164D16BFA2AC0947B0024C22EBFA50066D17930E2A72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:52.458{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49543-false10.0.1.12-8000- 23542300x800000000000000081624Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:55.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973CAAC2350ABD72E22728E8E8BA3F59,SHA256=54E32E8214D315F4595D9F32653C451D271329DE38539E643084DCB94E8084CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:55.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C56A73C3BCCD644C8039690BB249B0C,SHA256=C100EDFBA46C496D1C58BFF2564F1D8FFCC7F2DE26F9C8D4FA3EC5C22F2EBBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:56.854{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:56.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D376045A8C92F9E596BE098446E416EC,SHA256=ADA314B6DF1AA701174A8A5FAEEC7171D383982AF5CF07D0027DD621C4953554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081626Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:56.289{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94577C794B81A1A7D6DB0131C961D409,SHA256=6E8B7CA700129982DA84CA06215C53C88712666C1F5EE52186733BC01A7FCA66,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081625Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:56.211{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0xb3ff7896) 23542300x8000000000000000103733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:57.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEC123F5F4CEB87011BE3936C381467,SHA256=F699428ED1EBC8E5CCB4CD42BC3A07D64E2F3B9E4F826BE39A52F67364566074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081627Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:57.289{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81329217DA2BEBB2C663C2CA26BD0031,SHA256=F3A17EB395F59B8C56E2565ED6A64F46A23CC50FE77E96FED2E19954F46A0D64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B29E-615A-D401-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B29E-615A-D401-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B29E-615A-D401-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-B29E-615A-D401-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D0E3B178676C9329AB4AE36E72D2CB,SHA256=A6DEABCEE74F2D9A3F7820A33B90B83A0DAFB2AF53BDEEE77DB88C5A180A4E7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081643Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B29E-615A-4F01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081642Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081641Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081640Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081639Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081638Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081637Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081636Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081635Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081634Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081633Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B29E-615A-4F01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081632Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B29E-615A-4F01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081631Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.985{2FDD8D40-B29E-615A-4F01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081630Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:56.795{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50043-false10.0.1.12-8000- 23542300x800000000000000081629Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.296{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCB091135F7ED80735E5A76FE319E34,SHA256=A47C515CFA814E59A3BA33B743C7E0F509145FEF41532EE9A5F1276DF6E30C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081628Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.151{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-024MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.745{58E9C193-B29F-615A-D501-00000000FC01}1046216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B29F-615A-D501-00000000FC01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B29F-615A-D501-00000000FC01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B29F-615A-D501-00000000FC01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-B29F-615A-D501-00000000FC01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.542{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D13964968E659FCABE9F9030B01754,SHA256=F7A8B2B8F23C467A6E13EAB7457F2519D6A443ADAEF9A9866633B79E30E9B5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081645Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:59.310{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14441EB4E28ECF954F2ED914EDB2418,SHA256=E7B8F612C6F20021D75CB9618B11DCD9598AB0766A1B6B270C33CCFD88661CED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.262{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49546-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.262{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49546-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:57.465{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49545-false10.0.1.12-8000- 354300x8000000000000000103745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:57.074{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49544-false10.0.1.12-8089- 23542300x8000000000000000103744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.026{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=968EC11F20CB3227C321200F2EEE5921,SHA256=22FBA5D9A08AA8E9A54648E75E431FE508C26C0B710377A70420F9076C4CF6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.026{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD47A91835EBBF9272933CCDFEE23FC8,SHA256=A572D55CBCEB7A5C15A65202377D8D8BA8E63A3CEDC57D6111B8AF66AF982580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081644Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:59.157{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.620{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=968EC11F20CB3227C321200F2EEE5921,SHA256=22FBA5D9A08AA8E9A54648E75E431FE508C26C0B710377A70420F9076C4CF6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.542{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32DF11B12B79B7D180CEA4A7BDC386F9,SHA256=DBFE55D135FC02979534572138A4A3821CA513089E1B394D714F5943B7005126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081648Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:00.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687DE105D9F76B6BC02BA521822C4867,SHA256=6B4DD2144CFF5AB46AC551F4510658233150ED22E7F64CBD7A1815F130462171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A0-615A-D601-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B2A0-615A-D601-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A0-615A-D601-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.511{58E9C193-B2A0-615A-D601-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081647Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:00.187{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62E3FBF5C5FE72E2BE4D35127A90E962,SHA256=7646A23B6F64B8A2F8C191DA8D1CCDAB79DE08A5C41A1B7BB5C88DA9B0D6F964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081646Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:00.187{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF5FBBDA9C00A67AE3D971F223772E0E,SHA256=35BF4F300AA02D8CC5518CFE07D102E86432BAE6FE45D4E9BA1B0CFA91EB3B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.604{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766194F709CFA949D5911D6BD87C55E0,SHA256=A2829F769E3C29B6284B3DBA57C6949F40AA391460F26FC35166D49D5027BEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081649Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:01.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5696C00E94ECFBF51DFAB969B59D305C,SHA256=57E1EEB776C3DF3E58D6F2E8CECA281818CE98BA26AC22196B35BA7B47EF27DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:01.167{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000103770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:01.167{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Config SourceDWORD (0x00000001) 13241300x8000000000000000103769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:01.167{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_4D264F37-7FD1-4957-AA29-D51476710399.XML 23542300x800000000000000081650Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:02.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADCB1B6810CF3DC4582E0DC70A8D61F,SHA256=3D18983333EE76A3B6653E317FA810287A4752FE0050414D1EE78BC714AB776B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.651{58E9C193-B2A2-615A-D701-00000000FC01}43245872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.620{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9ADB7C4A9B655B85A9410CD14139F69,SHA256=A59979D6C1BE6047DA493B384328956CA437E73B35635AA1E6E070A062619015,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.409{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49548-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000103784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.409{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49548-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000103783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.388{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49547-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000103782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.388{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49547-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 10341000x8000000000000000103781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A2-615A-D701-00000000FC01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B2A2-615A-D701-00000000FC01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A2-615A-D701-00000000FC01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.261{58E9C193-B2A2-615A-D701-00000000FC01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.182{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32BE37F37983830B9A57F33A8E364E3F,SHA256=10A1C46BB465B931B4DDC900A3D1921133C7C758151EFBCD79ABB85D823BF85D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.917{58E9C193-B2A3-615A-D901-00000000FC01}52241028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A3-615A-D901-00000000FC01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B2A3-615A-D901-00000000FC01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A3-615A-D901-00000000FC01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.668{58E9C193-B2A3-615A-D901-00000000FC01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.651{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443D669CC120180CF10B125DFCE276D7,SHA256=2109A0303B980B1CD5B1834055F37212F185315017F2540D69F6F83AF99717F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081651Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:03.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E38DA974966707DBA33B10F18131B38,SHA256=675BC903A96EC34937AB4B4FC3C69587369F6DB46881F7B2E9DE90E3E6D31E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.418{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49549-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000103798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.418{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49549-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 10341000x8000000000000000103797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.370{58E9C193-B2A3-615A-D801-00000000FC01}66366528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.276{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B1EAF9A7CF1C303E2C03FB409CDD60,SHA256=0C5843BA872F5F1218435DD7871FE1C476BD54A20D694DF49B2290A20FD8822B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A3-615A-D801-00000000FC01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B2A3-615A-D801-00000000FC01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A3-615A-D801-00000000FC01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.168{58E9C193-B2A3-615A-D801-00000000FC01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:04.745{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25B04A97F2151DAFB178B906F0EFAAE3,SHA256=D4702F8C22FFC2625B0857FC6386550088E8699BEFF5FAB43725BED65CB7A0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:04.667{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82012A8DF1A9D29E2D216A710AE8D34F,SHA256=697F1B611EB955D48B6E1775DC5C3186D764B33894CC9E929AE6BC36DEE71BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081652Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:04.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB80AADE10A81F00CCE1FA76F2E848B,SHA256=FBF906F6626D4606389899CDE299FD750A75E0F296492179115F042369A919CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.246{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49550-false10.0.1.12-8000- 23542300x8000000000000000103821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616A67D68FC80D0285BFA2F87031A4E3,SHA256=5D9F54B632755260C4D818A4692173218DF6516479A9AA0E92F6983C72AC2940,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081654Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:02.771{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50044-false10.0.1.12-8000- 23542300x800000000000000081653Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:05.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9310CB37BFF2B1789A29430ABAD761,SHA256=F2BD1F44E71306A5DC8BB6DC5003BFF9C69A59A726A3DDDE5CF6D3755C19326D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A5-615A-DA01-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B2A5-615A-DA01-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A5-615A-DA01-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-B2A5-615A-DA01-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:06.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F113F28AF7EBD3582DB6EEBDCD876AB,SHA256=39D42E50418093E801F7DF2D2AFA0391B1FE5A9EA5AC3C4B58D3929E5FC57CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081655Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:06.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEFD278601920AE16C51055F6C87E71,SHA256=3B6244845E198A58676FE46F1C9415085387089E562718F7BFC3725991F38384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:06.510{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1768E26E30C5E178A92170C5F71D5739,SHA256=8BC811F47834A4D34D5B28511D343BCD1B75AA165E753D0654FB914261698C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:07.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AF619AC252E137C51CDEFDC5567EEE,SHA256=FD517C4C9E025F5D551CD9C06DF18EA62BDDF28F14676A3F0B47E57AEDE225F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081656Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:07.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B4F4165B602ACB96F9E83DC73B225A,SHA256=23C1D5DB362684234A309950E1C103EC219F85F4BFAE3B91DBA95208B31EB6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:08.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941A04141DB6AF401E4E9B5374EC4BDE,SHA256=0658DF773777B521FD8276328DD2C03190E3E6D7E65493EC08572214F738860B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081657Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:08.609{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE53D067B91767B5DA4F55E4A393D5,SHA256=C32C0007D62F1B6AD6D3497D10F677D91C914B7A8823ECC75A2593F09C33680F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:08.073{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0xbb117d50) 23542300x8000000000000000103828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:09.745{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6F441FA617947C3EB4A8F7433EB3DC,SHA256=8BB7E31B20B4A0E61E446D5253F798516052957DEC758926D1A1B3D9D9591373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081659Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:09.703{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A41F2DC248BC018DD2138D043CE237F,SHA256=E65E2A71CA286DF3110BC1E08B0694A264043AE00FF561EA8EBBDF4F96BEA648,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:08.293{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49551-false10.0.1.12-8000- 354300x800000000000000081658Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:07.802{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50045-false10.0.1.12-8000- 23542300x8000000000000000103829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:10.807{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372ED1DD9800BC112B17F3E498419F2F,SHA256=8B734DE7304EA613B749EFC982E6AFBD0BAB7863C1FAB938C297B62EFFAAAF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081660Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:10.734{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5C3E7CD2ED352788848415B375D037,SHA256=8C606498DBF6AA7A22F145234C5BFB047B4EF24AC84D2DCD681FD1DBCBBBF4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:11.823{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3655F92D0F8112D08BFD693C876B1CA9,SHA256=D81E5B18A9480874AADEE2E77E53C6AF2892BEDEC28AF673A42982370B2540CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081661Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:11.765{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4713330BA011BBFE5DFE1F738A7E8F81,SHA256=3B3B1EA418DF9038EECDDD88F09AB21C9273C059220415DFD44447AF5747802F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:12.870{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27185A43E68D8C29E688A10CBE35C454,SHA256=29EA157538EFB3DAD84B1F80BDCA4CFE6C90D8A3B70BC56FAE0ACA0C7B315A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081662Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:12.812{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADF7C4ACC0F35E9ED5A05939A62F32A,SHA256=94AD833E621C63BD31E53557171D1A000389C5C6BC553710BB8B6D8204ACBBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:13.901{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E5111E06F9186AD7F75BC2FF107C01,SHA256=8A6DAD33BA1520435CAF5D817D60B483B164DE58E15F8ADD42581484E7353181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081663Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:13.875{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EEE0C665C8808671D46124205757A5,SHA256=123A663F821CC0ED44B33D6E0D58A184779B8A6E3AA9437E9991117226A3E25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081664Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:14.890{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D612AC3C338EBE8B9DC0B496B88C0CA3,SHA256=AE6E9A5D94DBCCBB60F9F5F6F94D4824716B64F95B8F8F16E402F7D997EE33E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:14.901{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B824C880BFD7C8013BABADAC59AA860,SHA256=0D5116D5863C52A8B242549E05F2736D974B6AFD5C0A9463903CFD9722633ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:15.933{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837BC0424E07000FAA2156EC5C37CDC5,SHA256=F9378D511E756D8093F6D6F411B8369BF5503F2AAF70A9E47FC528A32D6E6E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081666Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:15.922{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E968555F4699E9B4542D5C9D6E8DF92,SHA256=026D372D5464457548CB8928FED8A5B83F95503A8CA9701853D0038248E27AC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081665Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:13.677{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50046-false10.0.1.12-8000- 354300x8000000000000000103834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:14.262{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49552-false10.0.1.12-8000- 23542300x8000000000000000103836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:16.994{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA70574B70282D3A38D93E5AD3CCAD3,SHA256=AE8FBDC3FD2CF936E4ABA78F9D00559EABBFEF290174DC2B45C466AC3F69B7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081667Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:16.929{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C53F82F9D61ABF2C1FBA559592F7B6,SHA256=04AB4B174813ADD421139E23031F3DDE8F7B2F34E0B570F26C8B7313E0EB5146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:18.009{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3D08582EAC4E2E63753316A5288F94,SHA256=86FCE6B671D0FB1CFAD14FD9D0759A9314AEA32B732EF03ABA4B4B5B436BF322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081669Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:18.991{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BA8B6042CBB9CBF960035A4535B5A029,SHA256=79A6303AD40DB2D32F9E7D0F73C0669083E7C4B87CC45746530BBF7DC7D0670B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081668Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:18.007{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C053CA4D186D54EAE5654C00AD8A4316,SHA256=ED5287B0111712795280B1D156F3EEDC39AD32DB5D0A43929343B582DC184DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:19.009{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEDDBAFB9A1BE7CCE1A2D0753485C78,SHA256=BF58AB03BBA14FF25B1F10C808F7E3A88674B2F6EF0FB333B24BE5ADD30C7910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081670Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:19.007{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0110BCCB0D17D6B3F99C0253F9294F39,SHA256=1889074D1EC075D22F6FFB0EF17ED5A045897EE5978DDBBB25B6C040331FE4B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081672Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:18.763{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50047-false10.0.1.12-8000- 23542300x800000000000000081671Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:20.007{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D5C680CF55D9FFC624A424874D7CD2,SHA256=398D15D5739CD00EB6E44F0C82D6222745A95A2AD14F8DDA9C127F691DD12EE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:19.448{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49553-false10.0.1.12-8000- 23542300x8000000000000000103839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:20.087{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4232FE4E24B3CA8A33A7A09A1794B5,SHA256=8E72951229AA3DBF35727DAEF4F7D319443E117878546A7815BF36C2AA58B535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:21.103{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA8FC1824F92EE0181BE5812199D4C0,SHA256=3F29E49B276C57B3FF528A1D2CFE8C0F199C7FAE45F9AC6C2D0D11521261A390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081673Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:21.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D103833374DFAA7EA84132E758880574,SHA256=2A4802ABE6651F04AC478F6099438CBA8C5F4F2DB711B6D27FCB8FD9F3C4936B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:22.181{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8981EEC3B8E3E7A6CD1FDE020DE0D69,SHA256=C688E809C1288240A9FE4072F0277DE6FD9F78B19251098DD1ED0E189E4B0411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081674Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:22.195{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C75DFD573B37E8B42861F373C19233D,SHA256=5D7A35F7249FB9EAE9982E5F18BB498149C87E7660EC66431DC7B422CE4EFFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:23.792{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-024MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:23.212{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFA8279F9DB81D386AB27811C7BF351,SHA256=1CA5DC02A7E518831937625CF6706D3389ACB1817F03718ECD2AC645F0D7F190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081675Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:23.195{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0DFFBF4C46E83B8D94FACC6DF84680,SHA256=B67D4D47D87E223AD1EBFC8B73A9849DC9F36DA7F479F8C5C12604F7B8394594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:24.807{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:24.259{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAF1B34ABEC47D268C85D81EC59875B,SHA256=A3AB104086363E63DAE76E859262EE5ED9CAFD51410E79B8199482397C795D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081676Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:24.335{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BB889BBD51238C9FC5AAF3064F5F86,SHA256=68211C65EAFD1F6CE070A44A19BDF053906E2FD1C1133E0FC378D52C903FCC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081677Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:25.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEF59F5097B39126DB817252510EDDD,SHA256=3BAD46423CAF1776251407BA7F5F27D343682E0022AD9976499B2C3F3147BCA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:24.464{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49554-false10.0.1.12-8000- 13241300x8000000000000000103857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000103856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018878a) 13241300x8000000000000000103855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0x63a63155) 13241300x8000000000000000103854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0xc56a9955) 13241300x8000000000000000103853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0x272f0155) 13241300x8000000000000000103852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000103851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018878a) 13241300x8000000000000000103850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0x63a63155) 13241300x8000000000000000103849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0xc56a9955) 13241300x8000000000000000103848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0x272f0155) 23542300x8000000000000000103847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:25.272{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D81FC033A30FA4BCE6461C9757DF54,SHA256=F671858BB9E60ADA4F72E1F202E0927DB7A2ED57ED79403F00F0D6E4F48C0716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081678Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:26.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2051EE672524DA8348A5108CF0B92535,SHA256=18AC512524CDBA865C5A7CD9D202744DA9E03C44C05AF9F82CA1C1F83DBA6171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:26.277{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B698907040D256CAE7FEC4466D31FF,SHA256=6C629C27002ABD6719BFA360681B8B62367239F6437E6BC0E841D9A0F010DC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081680Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:27.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CADEA8C4D2B0938E2C4BFD619486EE9,SHA256=DC4E04E987EF689C252948344453ACC278852EF97CABF56382E08B0DD13B37C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081679Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:24.638{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50048-false10.0.1.12-8000- 23542300x8000000000000000103860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:27.277{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C07CC525C62AB29038F84CE776A952,SHA256=F0B78FBFB741F6EE91B80B573B442D9B94BE0B818D66E4BDF970506250F03560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081681Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:28.538{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A588F3E47EA7FBD691D86551967CC7,SHA256=6F13575C3C3A5A4BEDD7CC345AF68A0E0AD6061B3511A24FD66B3B8FAB96EE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:28.308{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBA50A92F90FF29A7809028CCCA02B4,SHA256=2F7F4715B2E89F65DDA258B7DE34B1399F0CCDD11734CCCEB382BF74C74DD910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081683Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:29.757{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4C5BFB1E2C257B56F124A15362BB4C,SHA256=DC4B2B7F38966AF57FDA349ECF1D1616667B56B35BFDEDC65B95A7B7461FE0CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:29.324{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08FA23D8DBA552F15F919C3FEB805CB,SHA256=EEF74E21C551CF816B3911A4B34BB6671622785B08F7C97F6ACB077D1A8F6AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081682Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:29.679{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081684Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:30.820{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227C8E07B7A554557A3CB4D72DB6F392,SHA256=0973192F8BDDB636C1C763DA552496584FA5873C1C25C081B32AA3C9F5B212B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:30.324{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DA10BEF3CFFE330EB190184BCEB170,SHA256=F308A7D59DC62BA79D1C548110849C510109DFDFDC9BF385A138A1F0EE37EC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081713Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.960{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055038091603066E8C70C961A60A9C96,SHA256=03AB3E7763B269370E80A889323B7DC22243DA550325987330867465996A73C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:30.450{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49555-false10.0.1.12-8000- 23542300x8000000000000000103864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:31.339{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025789FCB4DE27A3BA7DCBC11F1E8688,SHA256=D06CF32D1429C823B4ABFD1F0668805CD2E2214923D60BEBB0397C9B395768DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081712Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2BF-615A-5101-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081711Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081710Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081709Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081708Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081707Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081706Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081705Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081704Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081703Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081702Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2BF-615A-5101-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081701Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2BF-615A-5101-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081700Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.836{2FDD8D40-B2BF-615A-5101-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081699Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:29.685{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50050-false10.0.1.12-8000- 354300x800000000000000081698Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:29.216{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50049-false10.0.1.12-8089- 10341000x800000000000000081697Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2BF-615A-5001-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081696Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081695Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081694Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081693Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081692Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081691Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B2BF-615A-5001-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081690Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081689Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081688Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081687Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081686Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2BF-615A-5001-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081685Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.336{2FDD8D40-B2BF-615A-5001-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:32.370{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EADD05C64ECCCAFB3242E8733673BDC7,SHA256=F6037F293E0D4AB793CEC4FE0C1E430FB6C0754B05778ECCEC35ED65FBAAEBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081716Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:32.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=958FBDE6ED00F8408310315DF570D626,SHA256=2EBF5666FA14BEA65D8E6A0A35FB1BDA9DD33C09B120DA8CD537DAEC4119829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081715Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:32.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62E3FBF5C5FE72E2BE4D35127A90E962,SHA256=7646A23B6F64B8A2F8C191DA8D1CCDAB79DE08A5C41A1B7BB5C88DA9B0D6F964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081714Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:32.023{2FDD8D40-B2BF-615A-5101-00000000FD01}1224724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:32.042{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B7F8537E166D6F1AE09654269B28C5E3,SHA256=CDFBAF697DA876654E6F25973F32B983E8B14D34F5619783A926018FE5BDA404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081730Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6E6FB739C97F45EF0C6BB87512EA0B,SHA256=027F523E2B12BDDD91AF026B8B4C184B8DC6D6B6126BA7B09D1A031DE5A2CE4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081729Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2C1-615A-5201-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081728Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081727Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081726Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081725Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081724Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081723Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081722Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081721Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081720Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081719Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2C1-615A-5201-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081718Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2C1-615A-5201-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081717Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-B2C1-615A-5201-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:33.370{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDDBC4D8FACCC7DE39C9E616CB297E3,SHA256=7A9FDAA5D85F3670B2E701F8B0CA0AACC965274416B4D5CB4875FAE85D799193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:34.370{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF57EFFBF025B27AF5150E6BC68E3AF1,SHA256=E213AC038635D900983415AB7EBCB7E1285EC890112A2BC3ABF1D1F402AA8AED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081746Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.945{2FDD8D40-B2C2-615A-5301-00000000FD01}8443912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081745Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2C2-615A-5301-00000000FD01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081744Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081743Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081742Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081741Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081740Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081739Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081738Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081737Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081736Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B2C2-615A-5301-00000000FD01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081735Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081734Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2C2-615A-5301-00000000FD01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081733Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.774{2FDD8D40-B2C2-615A-5301-00000000FD01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081732Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.367{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77DEAFE5D1463D5B173B7E3116DCAE2,SHA256=6EEABA1066A8E8C7E28FC2A9C4386C0853C3E4ED21F99E4241DB270222B8D0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081731Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.351{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=958FBDE6ED00F8408310315DF570D626,SHA256=2EBF5666FA14BEA65D8E6A0A35FB1BDA9DD33C09B120DA8CD537DAEC4119829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:35.386{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7115651EBF328886754008AF40928ED1,SHA256=7352611A6507DFF8F9A6C124758685D645D1ABC25764120EFE0E77E46B7A8950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081762Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.981{2FDD8D40-B2C3-615A-5401-00000000FD01}16601664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081761Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2C3-615A-5401-00000000FD01}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081760Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081759Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081758Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081757Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081756Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081755Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081754Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081753Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081752Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081751Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B2C3-615A-5401-00000000FD01}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081750Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2C3-615A-5401-00000000FD01}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081749Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.821{2FDD8D40-B2C3-615A-5401-00000000FD01}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081748Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.804{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DCC53573ADF7FD7C4AFCE589A4E7C9C,SHA256=A27508BE9B1B35111D793F839226183C64D8D7FA5470B967A1F6B460FF65C86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081747Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.367{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F60A6CCBFA3399DC113487EBB3DDF,SHA256=6F22E50CC7D9B2740E1FF26FC0C2F587BD6D47849EB37BC9F4F8C0FFBAB9F34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:36.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0334425E27A407ED75C76FAC48A7AD39,SHA256=46EB122898776D35B86992431F19E76D79D9AAE417F20ACF0DE327544B8781DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081778Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.903{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E80471D5BC9375BBB93C3585135C1123,SHA256=EBACDCA4851AE1F2E99B4CA4EE6EADA0BC0E709737F320C65734B89002C9F05E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081777Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.653{2FDD8D40-B2C4-615A-5501-00000000FD01}27362732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081776Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2C4-615A-5501-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081775Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081774Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081773Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081772Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081771Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081770Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081769Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081768Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081767Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081766Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B2C4-615A-5501-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081765Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2C4-615A-5501-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081764Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.467{2FDD8D40-B2C4-615A-5501-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081763Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D4174A754B747007B23B42860B91A1,SHA256=3C292274DC16F3F21A164C904D9A241EFCC47C5A19BD14E256AB1192ED0B818B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:36.422{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49556-false10.0.1.12-8000- 23542300x8000000000000000103872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:37.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783201E36858AA2E7F45ED44BEAFE918,SHA256=6B3435D860EC8E7E3CA919EC3E8CFA78D25CF88FA13356496BE60289DD3B9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081779Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:37.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E34BC2B4E452DEF9138A36D984682ED,SHA256=1CF663D2C439D3795E141ECD299D10CC1F6496419E63ABF116A249CAAE94D8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081781Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:38.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4390D1CCF0A34E5854A0C5908254F9A5,SHA256=F60966BF4957E720900C4271252A98FDA6EEFE9E6FEE7320AFE715FAA0039718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:38.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B3ECCC43AC293CD8C935E06B832BB2,SHA256=05F223AC090E1D4B7D74EF877D9B21B2D9FEAF10FA5D8F47CD5F24740423E0E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081780Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.596{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50051-false10.0.1.12-8000- 23542300x800000000000000081782Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:39.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71942E01FC91F0D94D923351147D331,SHA256=D06B08B6BC485B5929768D7F335748DD4CFDF2F2C44C802EB9E0C357107CF8C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:39.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51141BC07696BC1CDFA1A1B8BB6FB917,SHA256=B305303CEE5BE70FA17F88CA31FD183045B5FE3F78F443F764477047A96EF287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:40.467{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE26869733A61730A616FC37B685838D,SHA256=367510EB8D461BC0453E9E1C19EB699FA799C3098D90C17B1DBA6A6F87293080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081783Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:40.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906C1557F8C204C885CFDD192B6D92F7,SHA256=102C73C2AB90AC945A2E9985BB3469B86E417814BB932BED56610BC90CC5B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:41.498{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A623DB47F22E18A8CE257671DE895563,SHA256=FD2A3546702C6D3F93EDD9EE1A1F553BE56D66230E7FF393A95E9D37E03BBFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081784Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:41.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B8ED3CD35CAEC9B1D81F57A526C5F3,SHA256=FF70CA8746CF9B4397DC4AF9FEA6EB008B0BD6C1A7519A918DE7C35674387DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081785Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:42.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4C7EA280537AB3135B6CB42493258D,SHA256=94AB73F668B3FF8B7BAFCD021644B4BE2930F6DECD6017A8535C6125CC483DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:41.438{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49557-false10.0.1.12-8000- 23542300x8000000000000000103878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:42.498{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B801960104EB1FBD897CFDD80FF3628,SHA256=73A15FAF086A773BCA91E44DA86E19918F91908FAF954FD96B629B6B2C25086C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081786Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:43.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0916AABDDE23A84203DDA338D0E992B5,SHA256=84347A1A2DE08C0129DE995FE6DEF01109BBFE34BC7B407C32CB4D3A8A91A43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:43.514{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA7F1F1799407937BA0636A1F5E8798,SHA256=31079128F2D631265DD70DDBBA5FD72AF1DC6F91AC9655A4C9F8B23C84B6303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:44.514{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750F14405306E7FCDCF63DB22C3F4C69,SHA256=14AE698C5A409D4A72CDE94E7ECD0245817FE5FD30B91FD75C0CF74C06E93292,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081788Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:41.627{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50052-false10.0.1.12-8000- 23542300x800000000000000081787Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:44.466{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4BE64EDAA0AFED3E862D74BA2F11E9,SHA256=DAF8559F8C37E9DAF37F815165C0948C9109B8B26230D9E404BC64F421FCCB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:45.529{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8AF74DADB302681CEBA04C742B20C5,SHA256=7DF207BFB581F071EE743ACF5E04882D7B8E3CE71206F8430940E2A366047AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081789Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:45.466{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B6BC0EFEB666ECDC7A3606C1E70183,SHA256=DEDEF89E148A368A16AFF86081E2B1F9C36A2189469598A8C1B2337D2947BF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081790Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:46.528{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46916CBC96903DC54E910466F0811DEA,SHA256=9D205895776A8BB378B5EC6453C654481AE8DD027B9508FB7C46E51BA102B5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:46.545{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649AF7305EEE26B86B6AB9C4918ACA2C,SHA256=70E1D8AB6DC9F2645FC56C6EA0D3A12E3BEC61179DD5C6BB069F9062CF37C2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081791Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:47.684{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6442E30C0C1B291B17DE803FFDF888D0,SHA256=358ACB7BA954E6CCE07B2D826B4C179B5DEC39746D78C5556CD87F9D3B26A9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:47.576{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E8B5C141954ED2D6569DB0C31CA5D0,SHA256=8D8A2B929071F9B8D66FAE9805FB527041ED75B7301567E81F38D99505DA06B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081792Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:48.809{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6EA144001E388DAAEA6E83C64E34E6,SHA256=A46B895161A9DD68C274C71F90B4FB4C027C3ED4117850CBE8FB5855B07922F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:48.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42028285E183B8C4CA8F4A4219F92744,SHA256=2ABD2AF3760254776C2526366B6A597BD807F9C1BB219E19362708111813CCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081794Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:49.950{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0DF5968A1C559995ADA8B53C679A69,SHA256=349CDA5C5B85A4E547788A20ACD4902A6FD303EF034CBDCD4B0CAC5D2224FCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:49.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2815305B778A83F1FD00310A161DE650,SHA256=7EC95D5957D2AB94F4DB736FABBEE9EA4E75072CF682B5DA1122BEE29075CBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081793Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:46.643{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50053-false10.0.1.12-8000- 354300x8000000000000000103886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:47.453{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49558-false10.0.1.12-8000- 23542300x8000000000000000103888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:50.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC097EC3AAA79340039B150E9F15F17C,SHA256=EC65807F7B01936C51A0F99396CDE1643AA4152B92A57445772BF8E93F20C733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:51.607{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187B714BE4D7B2984520EB6598F3B9A6,SHA256=715ED50EF34CA70A746166856A02231156A307619C71B046FF5C918535D1667B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081795Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:51.044{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1254B9A5549D2F3D75E85D2498FA4D5,SHA256=6EDCF36DDD24A76D33ADB8AC0E02F6CB0882922F976E5370C9855140C7164448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:52.623{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7108EC72E22AABBD11116481A9E286,SHA256=ADAF46088763750E4094BF46CB186111AEA5543706DFF560ABC9A22D6B48D47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081796Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:52.122{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423CC5449470B76ABE49E00505C2B3B1,SHA256=7CAE312DB72DE481A75712573B8F408AF5CDBF10A63C76CA7BD864439DD76A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:53.654{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44498B76E907EF533E7C746CE8AC0AD5,SHA256=8EBD368DB61C5AB25138053DD17EB9315573108055CCA715C28C9059B4E77F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081797Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:53.356{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769D07468DB8B85B78E2B9DB677F44CC,SHA256=5202878E5C440B69D09842CF69CAE42871BFEBFE170E55D75D4EE1E92A6BD57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081799Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:54.372{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A06F533E88CA7BAAEAD393FF92370D9,SHA256=5382ABAE1E550217129BF963C089D13D6828F63928C57CF844A2142FF5AD8A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:54.670{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4BBB51E7FEF09070B20FE60DA31830,SHA256=836046D8BECE01F81F2AA1E0266F920983616240E576F67711E075B226FFC734,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081798Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:51.815{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50054-false10.0.1.12-8000- 23542300x8000000000000000103894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:55.685{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5AE47E47021A7868E5865DAC2B552D0,SHA256=2D6A510F75169F30863BB118554716354BC4F49DF0784AC1DCB55888B9A63150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081800Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:55.403{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246C3C6BBF7911834BC504FA6829F438,SHA256=C3F206B7F178432015815348209F5AEA1FBAC75968166BF3CDF9AD3571C4E958,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:53.313{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49559-false10.0.1.12-8000- 23542300x8000000000000000103896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:56.857{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:56.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AB11DEF5024D0789B4915EDF1DDD87,SHA256=34FC4EC2E0737B3A64AB7F6C98B9AA092ABC0A47EB066D70353B6ACC90C599C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081801Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:56.418{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BA70CD8AEB0606FB75EE4F77C5E61C,SHA256=2A15D616F13E2B37FD28234A11B70C82A6639B52D8F2E4AFA1E5F80E62F8F3FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:57.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFE2D2F535B76D5FFB44AE3D97ED605,SHA256=CDA0771C728F854B44A9ABB3824EA0EE95EFE09900ED09159A7B895406A29C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081802Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:57.434{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515C243D4E9122CE6CE25D5F7FA7F2BA,SHA256=BE0C31E148E33247A398660CBEC69011E7A734B531F6C9B0DCA703B56D9953DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.732{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248B814E722BCAE4FCED3D8F13A58EF,SHA256=633AD74F8DEA1E8EA871A181C9DB63D62396024F09D3A812FF97A5DC5C2D23D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081805Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2DA-615A-5601-00000000FD01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081804Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.997{2FDD8D40-B2DA-615A-5601-00000000FD01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081803Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.434{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF1C101C625E2001A829F324D5D65F4,SHA256=A5CC642BEC83953784ED2F1E2087F00587374B89E67E32A29F6507B8DABF8439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DA-615A-DB01-00000000FC01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B2DA-615A-DB01-00000000FC01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DA-615A-DB01-00000000FC01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.686{58E9C193-B2DA-615A-DB01-00000000FC01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:57.095{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49560-false10.0.1.12-8089- 23542300x8000000000000000103919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D500AAA1CD69091A91F1A45B6DDFF65,SHA256=89A75E380E096ED477C744D65310E545DF79A3AA93240A6C3873EB51B79C1B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.764{58E9C193-B2DB-615A-DC01-00000000FC01}53445424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081818Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:59.675{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-025MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081817Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:59.438{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC232AB8B45AE4761A745737D6F06AC,SHA256=F0269ACD9F834569E1C0A45648286C8CDFC31B5DCD63636D90EAD5446A7E8AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DB-615A-DC01-00000000FC01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B2DB-615A-DC01-00000000FC01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DB-615A-DC01-00000000FC01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-B2DB-615A-DC01-00000000FC01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB5C26FF63453FA399F5BC9F40D00A8,SHA256=F603B01535EB5CE821F8BB87BCCDE794698E70125C877DAD3734A243FEB6CA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A54613F36A89C57A5901941342807E83,SHA256=E99179DF7186F0732B7AD9CA61B004CF3B89764D538CB99519827A838867530E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081816Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2DA-615A-5601-00000000FD01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081815Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081814Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081813Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081812Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081811Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081810Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081809Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081808Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081807Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081806Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2DA-615A-5601-00000000FD01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000103931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70C3B5032D72D86F1EB3F343D6BA7D2,SHA256=B0448FA5AABD8BA21DEBFA7A25724182BB1354D0545F95F7F5448FBB48401D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081823Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:00.674{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081822Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:00.439{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D89FBFED052D3CCB88607600DC04B1,SHA256=BB74D8F0BA760C783D5C8E35545E29BC18F26F9346A6E9982BB401D5081AA319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.654{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB5C26FF63453FA399F5BC9F40D00A8,SHA256=F603B01535EB5CE821F8BB87BCCDE794698E70125C877DAD3734A243FEB6CA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DC-615A-DD01-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B2DC-615A-DD01-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DC-615A-DD01-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-B2DC-615A-DD01-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.266{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49561-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.266{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49561-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x800000000000000081821Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:57.768{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50055-false10.0.1.12-8000- 23542300x800000000000000081820Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:00.157{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B831ECAE67AD99EC2061D4790862DEDF,SHA256=7F9975545EB4EB828E4386F212DEE05BFD5EA11AEC62001EE1AF55FB69364DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081819Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:00.157{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56C586A7EF5ED4C7688E78E611543013,SHA256=5757620F1700A6FA4A53F98426225F414B749F208B32E6196E425EB20F7815DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:01.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25331D998076C5194E17F12E9153203B,SHA256=C6EEA3F530E01084D07A693E09ABDB99D2D7BC2A152E1C2213CD5B4733A1C5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081824Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:01.442{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BB58CD0491AA5B4FAFE74A1037667A,SHA256=D111FE34395B6A32391D1F91B01883189903ECF08FA9741D57216E99F06C0639,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.438{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49562-false10.0.1.12-8000- 23542300x800000000000000081825Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:02.442{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2647CFD25CC7C78E1DE979EA70AB7D1,SHA256=B90F3096BFAEB52B685B5974950B9FB3C8995C300A3316D29EF9E0B6E1997C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.810{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEB7F91C0CE33D7F3FC219F9FC171D7,SHA256=7F39A7CAA1AC7F9D4E6F985D24C21B2C55DA99590EF0A6407DC510DD7969A2ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.373{58E9C193-B2DE-615A-DE01-00000000FC01}57481112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DE-615A-DE01-00000000FC01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B2DE-615A-DE01-00000000FC01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DE-615A-DE01-00000000FC01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.171{58E9C193-B2DE-615A-DE01-00000000FC01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.935{58E9C193-B2DF-615A-E001-00000000FC01}50604448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC90BD880ADD2257405E2378CB2FC520,SHA256=1862CFE530C4860AF6ED637340071CBCA13BAE0AC68E19583E54A5B228500F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081826Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:03.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB621C7B1CD91F6EE318BEC8754E73C,SHA256=BCE1177BD1622B32D02A55FB860AC3AF24051B69A22259D8D16E6F318E2776BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DF-615A-E001-00000000FC01}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B2DF-615A-E001-00000000FC01}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DF-615A-E001-00000000FC01}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.702{58E9C193-B2DF-615A-E001-00000000FC01}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.420{58E9C193-B2DF-615A-DF01-00000000FC01}5516904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.295{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95F51247DAC2A5B22E82430E0EEFFAB4,SHA256=52D3A8055AA2E0B6C6D8AB969EDE13F72A6D9B0623DF7354FC076B77B6D5D829,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DF-615A-DF01-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B2DF-615A-DF01-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DF-615A-DF01-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.186{58E9C193-B2DF-615A-DF01-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:04.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1A4C1F46A383EB2FC81C3F7DBE837F,SHA256=E55B22531D1E92A161FEED655D3C52E5B4AAC7D215FA414F29CE6EFE340B46ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081827Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:04.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DDB24F71676ECF1D90F2FFD3D2BDD0,SHA256=D99D9DF99E9B0DB8C08AA8867747CBB3F1AF890A0E0F6F06FD4334BB5966C22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:04.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BFC7D6428A1217E97ED457B092CCED3,SHA256=0783818D67F17BE99A21B319335ED85DE04A0A0D198B2F343F2929DE91504C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52876AC33EDE7FC0442B78A36B11E87,SHA256=BACBD2C60D8570BE477F1906B774A4D09B1D76A63E1DDBABF53378F810784E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081829Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:03.729{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50056-false10.0.1.12-8000- 23542300x800000000000000081828Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:05.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57846219523D650BC787E6D708D6B8FA,SHA256=110CD0254619444F7273748CC8981B538A2C925CBD24AE15B3DDE51F3E2F9D35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2E1-615A-E101-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B2E1-615A-E101-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2E1-615A-E101-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-B2E1-615A-E101-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:06.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB95D6EFDA153514503BA678DC60DC6,SHA256=606CC4D705B291DC5714C46ED644074C3901380C8B78564C1F1838A4F4153746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081830Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:06.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037CDE6CDF038B63963EC1C77F1D63BF,SHA256=EA5FF8A93A98A67444DCF32B945775A06B6AC1851DB298F3E476D021A78979CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:06.342{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEFC8C5BE79DE16E92CA6901A1449579,SHA256=2903DE4978E5CBE9374E79F8C54D36465429B94BD72E37C89273E3B1F07FA124,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:04.470{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49563-false10.0.1.12-8000- 23542300x8000000000000000103978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:07.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB35F4EAE8C61D24BEF14129EE018328,SHA256=72FFF625C52F7A8755661AE776916282DE140A573879901637AD83831664E273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081831Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:07.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F59DDF0F08F8C23A291EE59A1F5F54,SHA256=CB0383D58BA95DA77033843EA0AD3BFE7E325379BB5665683073328E4D76056E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:08.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3FFEAE695E7E3B2F4692AAF3C0A426,SHA256=4F4DAB7BF0D60BF8DBEA8F97B3855678FB3565236B1BFB8DF4DA198B0BEA8D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081832Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:08.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A73BCE24B847EAD080313E6FE940CF,SHA256=9039DBBFE0B3C82AB239F97096E5D83B8CA5D8B97E4677F8ACB222ACF0810A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:09.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A69A6B71EE4FF27A15F6386E4A7E4EB,SHA256=48A74C4EA0D070A75C5E9F7EFCC5107523EEF907EBCD622DEA369828F4EFE38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081833Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:09.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFD31F301E00F71755BCB72D8ABA13D,SHA256=F5EFFCDB0044A4385ED7E93B96C99DD607FF30DB8389321595C79C861350234B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:10.904{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCDCF00C76D5753C58682BDD10BAD3F,SHA256=944D1575A127ECDD3FC33986F03AF0827EF507F926022784134B1D14D2971EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081834Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:10.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5183184A97CCD766E8D66BDB5AF739B,SHA256=CD159DB32F8C56496588D77B9ED0B2307A6D5BCA958D37B4D1C07FD264CC7A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081835Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:11.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D030CDF1336B94959BE8FBDF69C3ACDE,SHA256=76E50C7D4E0CA4CD30CAF9E359DFA6E058253707CC1AB9325A3092D6230EB3C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:10.251{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49564-false10.0.1.12-8000- 23542300x800000000000000081837Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:12.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B328CAF0B9BC720D1CE48E15472A77,SHA256=642D3E4EBB6DF706ECE4A78D7E0548C917BF26DECB49A16A6D3799A13A81F000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:12.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34D956C6A431414491D303B6C1CCE65,SHA256=AF7F6F431243DE9860A96234FFBE3B755CFEB37CA3DFFBDE3904BA2F30DA5517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081836Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:09.655{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50057-false10.0.1.12-8000- 23542300x800000000000000081838Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:13.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038CAD9E615F93102A9C4A69B7CBB104,SHA256=8267E4305167A6E492AB27987313601E9391BDCCD3DBB7B0D1A52A081ED4B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:13.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4B46EB094C69F918165F8B57FD2766,SHA256=CC85439D34B9A714CDE17E9EAED08032D3D04D54A858E7CC03889B0C9CB4FD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:14.154{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CC129CF1EF3943B035DE3CE104B6CD,SHA256=B75E9B3929124BDB0CC9D14CF817ABDE7770DFCA5428178316AA7CBDAA5F2F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081839Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:14.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD310711020F22B3D83D4DAC5BD2630F,SHA256=BF0BE3F9E82A8484D87E2C09A7E2B8197DF57EA8C23E55AE5B5C9BC55357C864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:15.170{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46A8A0234B3D513FDBF61AA5BC6D717,SHA256=B0E8F67BB093B2CBBECC584964D697D5A9BF0D00AE5419B4DE20D08CF6D8C99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081840Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:15.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D54319140BA90FCFF93915E721D505,SHA256=78D78CC71EBA372368E6169BBE7E4E00218B898A24F6E78F8B21A7998AFB22D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081841Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:16.463{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3AF4C5EBE6AF7B8C93CC9B95E5FCDF,SHA256=BE3FA8E5658D48850F2CD4169FDB9217DF54FE99480CFFEB5B3D6D4BB84D3E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:16.214{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27558157BAD7B336DAAC0155AEAA95DA,SHA256=F77BE2DD89AB46B2EFE1A7CA1A13B05F32E10965AD615AA899C57545118F3AFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:15.376{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49565-false10.0.1.12-8000- 23542300x8000000000000000103988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:17.214{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038885E24302CC54D4A5BF56F50725BE,SHA256=B53A8CF7A833EA489EF6C318EBE2D2C6D21E77650ED2BE191AA40F7A52D12159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081843Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:17.463{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E3EDEFE657FEAEED6E1218220C7ED1,SHA256=BB57D11E95A8ACE812C5AC30FCB5B848623BBA157C16FEF5E4D290FB6D1D2C96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081842Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:14.698{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50058-false10.0.1.12-8000- 23542300x8000000000000000103990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:18.245{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C9B25C9E93D8212D41E252C4E90ADA,SHA256=1626BC0ECE78A6B95C8CA4B43A153964F1C0359417E8894723E7100631246F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081845Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:18.994{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F7A618B8BDA8559A281BE059EB0F60FB,SHA256=B0185771C695731CBA937D94AB4A0AA6D8EB56BC2D1F4A80EEE1E08C3B88CC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081844Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:18.463{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9420568791BB1D2D30D025B9FA9242B7,SHA256=3C5471294D42F1CA9780115438F6D9FC7B42F2A7B0B303420110242F1B798EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:19.245{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6EAC87ACF4747D4F947270C4E38296,SHA256=7C373F8B7B4FA75897265DA395BDC14A7D8A10872648C5F665E5B25C62ABE730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081846Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:19.463{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65BD86E35934F83C385DDF5127C151B,SHA256=BC3EF5E670A2025C6E1954BD27A11A582A4979FC275547EC7496C63B82FE0AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081847Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:20.479{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E6172D24856566F84117C30034531C,SHA256=C1CD4CCA83E9E60A99AE60A26DCE9AFE9AB21346356F9DB3B05F6553A35B0030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:20.245{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC08B871F973B0BC20EC0DBF08D177DB,SHA256=B36AB0C7F792FF590620A2954A38DCF0F1DCA01A038B9332748391A4891F1B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081852Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:21.479{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040E7BD6C4E174B7753BC6C0034BA0C6,SHA256=834E0CD991C59DE2E8A5AFCD2C31EC1D07A755ABAC5DD5025955D9F6D76525D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081851Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:19.769{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50059-false10.0.1.12-8000- 354300x8000000000000000103994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:20.389{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49566-false10.0.1.12-8000- 23542300x8000000000000000103993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:21.261{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48D215C1F5865C6082638DF929887CB,SHA256=6E450C4173A66147640523F9BE96645C1FF20888CE0F6EA262A1C0BF1095F986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081850Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:21.260{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081849Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:21.260{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081848Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:21.260{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081853Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:22.713{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89CEF54F84614E964C6EE35393409F1,SHA256=F171D21A2C0C577CDD54510804317E58A801C905C2D75AFF7F658125D4005227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:22.261{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB29738817948ECABF3A51BA929CB8AB,SHA256=3491DEFE81AF5F511B376CC24ED44A7AD3F79DD89BC5B57CB28FD905F1BF1FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081854Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:23.932{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14549DF2F2A9B62C1531767B02B1F2F2,SHA256=42E2C0597C446886D7E002166DEFDE4252EA1FDB8A836B323B8E0AAC813310BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:23.261{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F332E3B0936D062F85C8A3D6918B5CA,SHA256=E9B5F2D617A7BFF78AF198C7513790C98F4ACFEA2BC21E0B5F399280D5164CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081855Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:24.963{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4258C12DA4F1D0D8367E4F72970F1BFC,SHA256=E6C0228383F02DFE93805573C6A679A01653B6F889A3AEC9E5348497AC8B9393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:24.261{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA921C8974EF65C0880D196A28F93B9C,SHA256=033F735C8709A531550B9DDE33AAB16E0AD72DC3F96AAED9A46B4142B18B96B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:25.328{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-025MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:25.263{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C7CF4603E02E2922235503B9C6A047,SHA256=2FAE74879006DD003F4788E5C595B0A4F780A9DE92B513C98C6E1DB8B9133E1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:25.438{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49567-false10.0.1.12-8000- 23542300x8000000000000000104001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:26.328{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:26.265{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF878E4827AEC2CB42D33C592FC47425,SHA256=FEA92DECAC700EF8129CB4ADF77FC7249AD330FFAA9F39F2B7F94C8A7882F767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081856Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:26.073{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A87858788409952A05C4DDC0D8175AD,SHA256=6E223D87A55E33260837B5B4B8AA02B9D9DE5BE2A3C6D01E765FD151645300E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:27.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C447D270A0292927D067CBE022799B,SHA256=2C1B253E862331839646FA15D9F3ABD50ECE4A755F10E5B69CAFA58FA4D13326,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081858Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:25.766{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50060-false10.0.1.12-8000- 23542300x800000000000000081857Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:27.166{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DABDB4EE49F5BAE26F39AA834DF655,SHA256=F7BB68ADB0FCF55893FB5ED1475CD9CC415331BA678FFB203321B520180D43D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:28.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9281F9B417D6B6E9C4A7D44E85F162,SHA256=F499D7F60FBA58657B061A9CFDAFFD0FF87184F72F096CAC1B4BC9C247CE87B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081859Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:28.166{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85019B45FA4637E3D7AD26E6A0DE4876,SHA256=5407695E31306CEC50D8BF673972ADD17AFAEA4D6B111287555251E5042AE6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:29.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FE8EB9EFACC322978F0ED7D41700E0,SHA256=A72631881C42C3C203AE8EC8DD6413EE0EF4C3AEEC301489D24E4F2923E0F081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081861Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:29.682{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081860Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:29.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1FAF1D8E816B4FEFC13CBB42C29743,SHA256=64AC6FDA02A21F131ACE665D7EBB3FDCD07EE215ED39657284D0D4EC78DD8313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:30.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7544954B3EF4A3818FF90C51DE093C4A,SHA256=B0AB13665C7A554426D0217224AE4F48F88BC844965A379E9A0A17EA369DF1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081862Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:30.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F753025178F162D4002B371F948402FA,SHA256=485BAE2F5AB5FC41F9806EE2F66D3DC76E7C469DB1D230CFA327A6D907692001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081890Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FB-615A-5801-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081889Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081888Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081887Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081886Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081885Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081884Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081883Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081882Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081881Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081880Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B2FB-615A-5801-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081879Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FB-615A-5801-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081878Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.855{2FDD8D40-B2FB-615A-5801-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081877Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:29.235{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50061-false10.0.1.12-8089- 10341000x800000000000000081876Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FB-615A-5701-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081875Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081874Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081873Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081872Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081871Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081870Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081869Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081868Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081867Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081866Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2FB-615A-5701-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081865Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FB-615A-5701-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081864Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.355{2FDD8D40-B2FB-615A-5701-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081863Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.307{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAB568B932B1A0EB26E8C11D31A8988,SHA256=5E11E0BAD781D709F5982D4BECC04B1C22AB9A67EB59ED33C798F3A11141E9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:31.285{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AEE0E7F96740D2BEEDA18162BB21EA,SHA256=9B052569507CC16E0ABF8EFEE771313C59595DBDCE4B8F9C771DE81B606782AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:31.444{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49568-false10.0.1.12-8000- 23542300x8000000000000000104009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:32.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4705B7F7B5245BDDA679BC93567CAB28,SHA256=1434CEAA222186C467D95814C9627E8DE3E78192D513D738DEBBD682915BBFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081894Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:32.807{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5264D8A6E2116C08AEF1EE4F7CCC52C,SHA256=5039A86A07F588B8741FEE3AFEF1018759992A0B0D1ABA3345E323B180A1624F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081893Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:32.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=890800180579C02E313A20C38F93FC1E,SHA256=E65F0B86084935BA02D2812BAC24000B6E0810D7745808CD9F4C055522CB0A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081892Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:32.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B831ECAE67AD99EC2061D4790862DEDF,SHA256=7F9975545EB4EB828E4386F212DEE05BFD5EA11AEC62001EE1AF55FB69364DEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081891Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:32.135{2FDD8D40-B2FB-615A-5801-00000000FD01}11682264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:32.050{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76710428959A4E843EAA054029FCACA0,SHA256=B5D774C6A19CB38527D765A4E51D3980AFEBA69574B540C6F972E231D3A1ED94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:33.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AB49EE0501DB265A82791F92004729,SHA256=08DA29EE3992FEF5A08C46F4859E45FFF2D502CFDDECD98E3579FF9FB372E46D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081909Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.751{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50062-false10.0.1.12-8000- 23542300x800000000000000081908Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51595EA89FC1CFE9B02FC8398B09D5E,SHA256=75D49B789C2D9AB84AD1E7640F1AD20380DBE043B3962FB4F2583F1D41C4AFBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081907Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FD-615A-5901-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081906Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081905Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081904Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081903Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081902Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081901Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081900Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081899Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081898Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081897Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B2FD-615A-5901-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081896Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FD-615A-5901-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081895Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-B2FD-615A-5901-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45484880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45484880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45484880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBF9E9BB11C585FF59A956FCACBBEB2,SHA256=83E4B66265E486C18EDEA7D8F68AABBBCDC9D80DBEFB2AC8863CC1411748EF76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081925Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.948{2FDD8D40-B2FE-615A-5A01-00000000FD01}12683408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081924Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FE-615A-5A01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081923Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081922Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081921Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081920Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081919Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081918Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081917Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081916Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081915Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081914Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2FE-615A-5A01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081913Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FE-615A-5A01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081912Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-B2FE-615A-5A01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081911Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BE60FDB8EEE4AD3912D7DC40191610,SHA256=2178447E50DD68766CC390ADF73F69E0836D951DFB62B62C59182C07A37E5043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081910Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.151{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=890800180579C02E313A20C38F93FC1E,SHA256=E65F0B86084935BA02D2812BAC24000B6E0810D7745808CD9F4C055522CB0A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081941Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.995{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65E01B48771342FBB9C588E1715C3E37,SHA256=0CB8A3162A97EA6290F224567734DA2C43B76ACFB95884A0A100282A9297D140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081940Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.885{2FDD8D40-B2FF-615A-5B01-00000000FD01}700408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081939Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FF-615A-5B01-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081938Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081937Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081936Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081935Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081934Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081933Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081932Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081931Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081930Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081929Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2FF-615A-5B01-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081928Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FF-615A-5B01-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081927Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.715{2FDD8D40-B2FF-615A-5B01-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081926Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.479{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899C01F1503A66923E9332B8A22A13D9,SHA256=D3DBD1E4AA1057672655A4F5BD5C83EB6CF0B482D43A826324152CCDA3B3DA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:35.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAFA98ED8DEB20A4BB6ADA095438AA3,SHA256=BA4B3F4DD5A60C8F0F36C87A51FF5120EDDF91C37B25374090144A569A9C0506,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081956Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.669{2FDD8D40-B300-615A-5C01-00000000FD01}32441420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081955Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F233FBC752E985AEF26D15D74AA83E,SHA256=BAA1DFD5A74168AD5D6EA3D6807B13BC00899E3DF30B9340794E76E512CB3250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081954Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B300-615A-5C01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081953Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081952Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081951Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081950Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081949Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081948Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081947Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081946Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081945Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081944Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B300-615A-5C01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081943Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B300-615A-5C01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081942Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.482{2FDD8D40-B300-615A-5C01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:36.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC6F1ED844294CB6B4ACD053E56A263,SHA256=9BA527B79D340D4C54139E348117F0C0825913515FC060391A289832DAE20F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:37.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF18151E1C52E675D03BEEB3917847D,SHA256=249FC0204810EEFD68BB3CE9164F3F1C18393CE07E01481B7B123894DA809DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081958Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:37.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A851FF0CDE14F146BC089D3045B994,SHA256=7BBA41577D5FDE9708F565B967FF5AB9B71C46A03225F23AAA39E76356EBF0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081957Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:37.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4747EB022E883044FF0D426C13D6495E,SHA256=B9C1028E93B4442B19892B90A7DBBD1C0304C438C5F6E32861FCEE5BF98B95FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:38.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2387F5A8F60C6970A463E16FF983995,SHA256=7F0E91188934B7FA8990CDC687BE2826C4B3E50D550CEBEC0049A1CB82706EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081959Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:38.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A822F4EB6AD737C5F25A78743A11B8,SHA256=37AB659E89805771C1E701359A0BC58C2C4FC3EFBECF49DDC3E4E0A7D65BC678,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081961Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:37.565{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50063-false10.0.1.12-8000- 23542300x800000000000000081960Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:39.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23F61AE9E8FFF3380E16B322C4908D,SHA256=59C571C238B1C8264483A1B1E612D5C7475DB0D3F73B4538151B64611C6A6E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:39.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0431B50F05134E06CBA0404694D3229F,SHA256=5D48C39A6EA71E5DDA59B8BD66112612E4A64C3742146ADA8ED025912D791F7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:37.345{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49569-false10.0.1.12-8000- 23542300x800000000000000081962Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:40.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB9C19D59C6A69A20217CCB41FE702C,SHA256=40DD7760206AEA2534DB03869017B0B1782BE3090436B781E76F3E56F02D4906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:40.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F348DD5064A63566A7A435F61AE30B,SHA256=A4812F0E9959C32E488064F1862C0591CE68DE93D5D3A714B6F055589761727B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:41.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CC16B382C67F2BED1898E860412C9C,SHA256=77366B8A250DEB3CCAA78764FE61217020CFBA8801589872629532B5B3EDF4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081963Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:41.513{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6654CFE80AC896466D56877EC01A8E3,SHA256=BDC41636245EEB3B7263B005895B74A70C818094690D81FF8616716AC0B8DFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:42.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5F91FB3BCC210068C6A63F34B85FCE,SHA256=F03FDB14AF6FDF10D07EDDC37099841DCD2E2CBBC68E029106DD3933892566CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081964Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:42.513{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AE4A67993704C9D6695196AB7F0868,SHA256=6A72AD2E5D9814F5D71C63B93B71EF5E8C5FE93040DC7636EF5A264554083EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081965Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:43.513{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE93F8D1AA069E160A787AF6D757B29,SHA256=4A5427E1C56C00E9B4DC1849D045B43E43FF7D57131C6ACDC6B7DBC28A70164C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:43.622{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=BAB13A270F23890FB19DA0B9344FC1DE,SHA256=5251E0D53734AF3DD9568F8C99F007819296565B57554398980D1F766EB259FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:43.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4004E66623EF577011E111D9236A2299,SHA256=9C56D102BB38FC6577E8C8BBC765A54E4A9DF51F47BEFC140F8BFDA3444042A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081967Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:42.675{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50064-false10.0.1.12-8000- 23542300x800000000000000081966Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:44.684{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BAAD364FFC95EC1089107A89C1C91F,SHA256=DBEBF802123BF239158C51A6AC2359CFDFD90A2668B9F9497FD748AF85EDCC2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:43.391{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49570-false10.0.1.12-8000- 23542300x8000000000000000104031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:44.419{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E13ABADC3A165338E18CFB9F8DA185F,SHA256=66C58E771639EFAC81BD2B5BFA6C1C8492F2260A07454C3D0D508B129FD38F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081968Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:45.716{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F1A28889D78F21ACA67A3AEA599FB3,SHA256=D414FA296006F0EF0F155564C113A1A36AF06973438AD9AE0EC5A71A9FD774D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:45.419{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFBC74B9CE5C2806634501D780D52CD,SHA256=6C8A3E753F9B542551EC297BB581B562BDC30EEEB59B4B87A386E56DF379A81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081969Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:46.778{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D8705846209DEFDF9E829A4B6F74B5,SHA256=49971C7BBE69CD01F2B98C125A4ECC264A09C1BFC982259499D96FE494529FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:46.419{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9184D786BF9172BF67BBC060A1999A,SHA256=2BF92A4595B0EB54D492B5199E07DC37D04322363FCFC4155D1D0D781964B202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081970Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:47.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2227E45B0D01BD3F0D70C24404152AD1,SHA256=F3712C2D6586386F5E612C6FB425167D2FCBA79208F23E9DCDB0734C2E880E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:47.435{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F7B4603F7882316035DDE51B52852D,SHA256=64AE1CABC351284E98CB0FC27D5F42FE2F49C57C963E99B0303B45FE01C85F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:48.435{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F09BB1F669F1FD42A203AE2DB1D4C30,SHA256=F7D1892FAFB94DCA361470781A0CF90410785E403E5A38074524EBCA199C46EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:49.435{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0CE83019822219C47113705D2026E5,SHA256=F35F440D762F36495D94CF31BE3DAC03B0667CBF84443CA0575E92EB8FD84AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081971Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:49.075{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBDD6488102BB5C88DDEC44707CD93D,SHA256=92CAAC57243B038597063E61CAD5B7A758D1E59C15C6DDF5D6C07D726AE57489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:50.528{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336381FEBE302AF84FD26D62086045CB,SHA256=64807052318EC81C071BC0212C93470457A24D28D3BFF7E6C4E59CF8057CCE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081972Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:50.091{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A581A5CF310C59312B65B6BF96D5460,SHA256=4060F0CBB4D01C75C8CBF12D628EE830325BCF820D0A4A70203297FB64B2F07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:51.544{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E9D3A3FADDE98FA52DB661278F38BF,SHA256=622914BCAB6B19C3D29325013CAEA8A9ECA40DE0D585F779A08EA2A3E5B77B96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081974Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:48.612{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50065-false10.0.1.12-8000- 23542300x800000000000000081973Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:51.169{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3CBB6039E56FD03CE571494A562C09,SHA256=B2E0DE5147FDA7C8A278E31A3ECAB36DFB6F881975D02BC94F77EF491E3C3985,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:49.423{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49571-false10.0.1.12-8000- 23542300x8000000000000000104041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:52.575{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338FD7AEE5C152C06308820E42E57454,SHA256=9F98862CACABE78A79C987D7F45DA21DD712E5B5D952C0BF596B03FB1A5CD571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081975Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:52.216{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0994744E408B03DDE1C75ADE6EE17B79,SHA256=838B1260C5A3D0E4A326F9CB9FEC0C95E1B90285B12608F950BA18118B135592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:53.591{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398F1016EED1565D08D4EA39ABE92338,SHA256=C53200662DABCD97864102E2EB05F1DE27EBF1C382A2C170552750B676879222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081976Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:53.247{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401177E1A0709760C57561E748D4EE39,SHA256=8C4BBA63AEF43F7761B0F31D828A563BCA4A01627A98791E85BF1AE0F3874A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:54.591{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC33AE35A2CFB671E5818F0C3C61C457,SHA256=C3B46A3C23D403E22B14C66B379E406024FB67E360F6F3A26721136F969398ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081977Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:54.247{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5325ABEAD64CABD544270AD5530947ED,SHA256=380EF9FD98076B386B1DD5510FCF37D99E1745D2DC6E30C51B332506DE76D299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:55.591{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D8371BD997939D5778C571CBEB4258,SHA256=B668B006958C126715AE901D8ACB727EDDCCE60ECD998E8685D30AB22F0D661C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081978Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:55.278{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13458AB6F022C3103EFA76FF9AA37AE3,SHA256=1276F77D82152ED6CDD4285E9AD9A776445B1F44BB8876470A93A4B1BBB692ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:56.873{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:56.623{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCA1DBC8969FCA29E1E23FCC2E5DC43,SHA256=37E4924A610982D117C0CE54D9808E7F13B9877FCB57B5B2804E6E9EFD46CBFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081980Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:53.722{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50066-false10.0.1.12-8000- 23542300x800000000000000081979Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:56.311{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE51B0D11305D81DFC727379AF7481CA,SHA256=C1462B51240066E02542ADCF2F464B0ADD82DDDBA618BA549AFE9D84BDE5C9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:57.623{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC2811C6005FF6716C6484F9E3A9565,SHA256=F78D86BB342FB6EAC1861119984DDC33D8FBCDD8105EFEC15FBBD7F90ACA549D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:57.623{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=F11AF900F15215D81245B000809E7BE8,SHA256=79152EFEFD6F3C958CDB4B2FAA6FF2A1F18FAB55EBE28B9873154DEC9BBA37EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081981Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:57.358{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F21FDBD35B9E3A62E5B320BE18A68AB,SHA256=E1C6C5ECFFBD0B50092E8A199E86B2102D0D60D3E853B9EB7A856B6B446C3DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:55.407{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49572-false10.0.1.12-8000- 10341000x8000000000000000104062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B316-615A-E201-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B316-615A-E201-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B316-615A-E201-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.703{58E9C193-B316-615A-E201-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.686{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.686{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.686{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA24A53AD9CB4D7B6C9389DD90FCEC1,SHA256=6EB0FB1C5451839E80A3374D8212232E98D5FCA300BC76A8DFF26FC1B6A53131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081982Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.358{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC6A8C47FD4DCC294A5B7C4B13ABBF5,SHA256=371F28D5E7D9D68DB0A3188569473849D941A876644873F77825324ED42D7384,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:57.096{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49573-false10.0.1.12-8089- 10341000x8000000000000000104074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.780{58E9C193-B317-615A-E301-00000000FC01}69926972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147455C09CDFEEE5D46B469E9195D0A4,SHA256=529DB98269365229A0E16FCAE929C96E9758F5E0EEC27B72DE3871160AFA1D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081996Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:59.358{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273218A6A89623DC8CCA1B41E5B77AE,SHA256=7143B4CD3B83F4075CF94DAB04DE75D124BBC48D3AFBF67A4E38DCF08F9C05EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B317-615A-E301-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B317-615A-E301-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B317-615A-E301-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.593{58E9C193-B317-615A-E301-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31D0C82FD5B396391479291AF9290913,SHA256=3A36C474428ADB773817D17CB2C4355F52DB06EA98276058E06B4A41BC4C7CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5575F8377D3316F67A66DF3FC29B2DD8,SHA256=C7CEC445BF3B6AA9817C1EF92257ED368B11BAE5B7E7DF9796C5D79CDCE0B783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081995Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B316-615A-5D01-00000000FD01}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081994Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081993Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081992Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081991Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081990Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081989Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081988Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081987Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081986Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081985Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B316-615A-5D01-00000000FD01}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081984Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B316-615A-5D01-00000000FD01}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081983Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.999{2FDD8D40-B316-615A-5D01-00000000FD01}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9472C58ED0BE09D7B554EFE6D0E859D4,SHA256=0B511E4F9B5E0DC8934CAA21C68DE3D40B4E4A294C1BA2B8E567EA07757874B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081999Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:00.358{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E41EC106EC7DDB480629573FAF6977A,SHA256=22F1609DC1BE1FBD8948896E43B4E068D6275BE44B696BAD0FD867DF153E9D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31D0C82FD5B396391479291AF9290913,SHA256=3A36C474428ADB773817D17CB2C4355F52DB06EA98276058E06B4A41BC4C7CC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B318-615A-E401-00000000FC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B318-615A-E401-00000000FC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B318-615A-E401-00000000FC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.515{58E9C193-B318-615A-E401-00000000FC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.451{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000104076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.268{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49574-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.268{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49574-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x800000000000000081998Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:00.170{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=977755B2A4ECDE51EE8CB141A698788E,SHA256=DA1297BE2A13B527024F2A5EAA62EB11B732E98CFDCE2C7B154DDCAFBAD4FA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081997Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:00.170{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59A3999196021D6B10E2BE10AE5C3533,SHA256=2512519E051EA08D9C1CABF60B37DFBBE2C59A8D8FF1598B56387127B03C4CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:01.702{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8665F2A1928E5F9C70DCE0BA37930F,SHA256=5CE0AF8B44F2871047C7E69CFBA43EFAA2AED5618E9044E075E60462D861103A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082002Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:01.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D298ED5A934F59CDE406210A01079F40,SHA256=34B586EB4A6B9332814FF5C6CA33F416658AD9D6AEA832D2433786DDE61EE4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:01.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2A2BB0839D07B663029957C4C78D6A58,SHA256=6400B3E56D4798E9459378E0C68118C706137E599E04435810B35F8E2C161578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:01.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5B9A4F3971B7541F5369EFBC8A8941BE,SHA256=44ED0A3325D72256CF877F22A054ED72CA7150E12C3C85D4323298ABFB70BD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082001Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:01.205{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-026MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082000Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.739{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50067-false10.0.1.12-8000- 23542300x8000000000000000104109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC579AE8C6B8A151BC37666AFAD75B16,SHA256=6C4EF8CF84B8C81F1D984B9DA4DF32BFE093B5F8456EA6CCF31CAA2595DABAE3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000082005Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:54:02.828{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0xff77a8d5) 23542300x800000000000000082004Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:02.373{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B26BA4FD164ABC170723753FAD9BC10,SHA256=87BBAECBCF4E9170E98F29F9A350D4E28B99FB49A21D715566F56B926DC9F262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.405{58E9C193-B31A-615A-E501-00000000FC01}9446028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.693{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49577-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000104106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.693{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49577-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000104105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.595{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local49576-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000104104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.595{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49576-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000104103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.587{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49575-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000104102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.587{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49575-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 10341000x8000000000000000104101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B31A-615A-E501-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B31A-615A-E501-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B31A-615A-E501-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.187{58E9C193-B31A-615A-E501-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082003Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:02.219{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B31B-615A-E701-00000000FC01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B31B-615A-E701-00000000FC01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B31B-615A-E701-00000000FC01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-B31B-615A-E701-00000000FC01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1413FA0A712B5BD9EC70EE9DF36FBD52,SHA256=23F636E6620EB91EB078298CFBC9C4B08FF75EFB2372C43146BA75190F2575C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082006Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:03.375{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B019464B4498CB08874E96B9A71323F,SHA256=9506E5A21B35C127DAE4CE471EB5D1DE595D42C2E8D636DA25686FF3448BB09C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.358{58E9C193-B31B-615A-E601-00000000FC01}63041348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:01.284{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49578-false10.0.1.12-8000- 23542300x8000000000000000104118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.201{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56285EA878C3DFCF48726EB585358D9C,SHA256=A4A6430D2E003F6EF1FAF4C59C9B7B1DC97EDE632C53054B3735EF89B43A7CBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B31B-615A-E601-00000000FC01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B31B-615A-E601-00000000FC01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B31B-615A-E601-00000000FC01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.187{58E9C193-B31B-615A-E601-00000000FC01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.905{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E180DE42A5E6DD822480F43A84F410,SHA256=68E02BD28E0CC5C0E2B4571F8A5798327DFFE97CAC8FC5BFFEECB13E519ACA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2BFDB07F72B28BE61E8AF63D9C08A3,SHA256=C124B03504BE473A03D62B4705A473E64C00BD11DD5470EE7624A0906C2B4A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082007Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:04.500{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4703E70E97F107BD331BF56421AA674E,SHA256=DF97C0819C7555CA7A6C91A543209D6495A4B5201AE43226E1D47D167E9C686A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.623{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=154759EC8C5C4B75C290C08B845EA6BD,SHA256=CCD7EA27A75603C053C5639803F1863FA225814E0B042DDA63725EAE3362DCF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.076{58E9C193-B31B-615A-E701-00000000FC01}25642556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.061{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.061{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.061{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.748{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EBCD73F7455A0F4212ED26AD5FD4F7,SHA256=3BCF23DAFA8293B3EDD6E44AEA6ABC5719990D432129C154BB0476210AB0E75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082008Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:05.500{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7540D88482451062DDA30FC06C2CB1E1,SHA256=AA5E0EA0079D40E3CB35A2896784F8239F0FFDCD4F3A0D6A45CDD90F427F96C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B31D-615A-E801-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B31D-615A-E801-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B31D-615A-E801-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.343{58E9C193-B31D-615A-E801-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:06.748{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143CAA2A9B1639540AEB079D4CE5E446,SHA256=962E97DC6272C6FE18B8BDF687A3555AA58844E89837C9D58D1A92004A19A35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082010Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:06.546{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A16F3C2A2E2A5A7927CC75B621FAFD0,SHA256=EC9F006474F011D832534C8D62805318D6CB63397318388AA399CD57A397A664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:06.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F815FA7795D552676EBBB1556AF9C1,SHA256=64C4F8BCDCA64E687631CEFF1A86EED62AC5AF3BC644BF95B83362848C810F68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082009Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:04.662{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50068-false10.0.1.12-8000- 23542300x8000000000000000104148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:07.748{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFFC8AEEF7B34DDB5974E9AFC8EB435,SHA256=C33DB2D99A9E884C3FB0F4B43605619AA7A264CD1256FC47C582E08EFDC34079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082011Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:07.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E36401A24699C1F5174D8D4E23F9ED,SHA256=7ACB25A6E8E592732FBC31A1CD15150B7BE1532E5B978CDAB643E4A12CD7D290,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:08.858{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:08.858{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:08.858{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:08.748{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4D01469970BDB6BC5514FE574D4C49,SHA256=DB091BE479CF641C6B4B347CCEF1B072EBAEC702A179C32BAE4AD2526D7FC39D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082012Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:08.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6648C4D3AD5E57F3B2EDBF0779BD68,SHA256=D6BE58234E887F3EC49C1AB16D6BED265CF50053A04D2325C610D2C9D689E779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:07.315{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49579-false10.0.1.12-8000- 23542300x8000000000000000104154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:09.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773BFAD151840A7249674FD55941F24B,SHA256=23A13D589C744B8D4C7EA23B3591C275BE975B7B8B04142A9CC4784FFB2EBCA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082013Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:09.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B120E40595D99EABA3A456FBA480934,SHA256=3D53462B65196CDCA5B2D797F72B9269A92FD1CDA9D8BBC85E7AB558B9942896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:10.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEE21138A9A68488804BD17CD51F177,SHA256=053B5CFD7CEDF5DA001FED55011AA18F5CC22AB31C93B30D3F1560F54CCCA67B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082014Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:10.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C79EB4B373C17D14D0FB69C88BB68FC,SHA256=4E80697EE58B6E36B4E3A0E5A29150B853DA9819CFDE712DC42D2705C3FEE006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:11.780{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415DFFA79CE26C5E29CA0B17CF55C392,SHA256=B31B93A30A14D957C332E0F7BBC86FFB28B98DC2FDBB36BDBC08463ED2D2D380,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082016Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:09.677{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50069-false10.0.1.12-8000- 23542300x800000000000000082015Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:11.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F740B7C89577A95E514C497D70255B3F,SHA256=C16F455BC7A7C146D6B79143000337EE324C8580A9024267CE580648EB67AACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:11.623{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=36D7B1370A07801BB48A646CDC818C63,SHA256=50E166C73B1A5A976B8A2D6965486AB84D5A24A8FA74529FE722A0D6B5EB406B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:12.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1064D2D8C0EFC019DDBFCF610B407B,SHA256=5A9A8DC860B1813B0FCAD492EE5664B3BD2C1525011D1B504F52C1A14BFFEBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082017Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:12.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51B1C4F3301981A02B3A34956772C9E,SHA256=7F38B02CA9B019D76D83E905807285A3F985D3FA848E1E3C16D04A282FA2DFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:12.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00589E601F2F9B0C5AD15879A13C74A,SHA256=C81BCA0C558BD612B4D6DE5BF379228219521902102B7EF6EC66776437F6935D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:12.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C72CDA010B3A7C7AB3E22E257F5596,SHA256=96444438A41135A5611D4471AE9A3F977094D1EBF7AF6E5BDF16CD908F9E8C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013AFB80AEBBBFCE2961A49C68CB8FB8,SHA256=EF7E587182F7D0A3D8DEA6DDE8E006E3A229CCF47C503374D08D3C842EB259F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082018Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:13.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5372435873CA419309650827E68E8209,SHA256=C8401C866CB8346D16D85461792A5607E52477EE5179820CB85DED9FAD38A0D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.045{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.045{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.045{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082019Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:14.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A230022CFADF25FAC71B1E890F34DBF2,SHA256=70B8A114700ED9F1F2983B7A6ADA527243B08BEE974287E623BFD0E676440337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:14.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2EB1FDB98728F378F190F3CC321026,SHA256=60608F40E808C3A3A2F10AA32F438C0EA14309ED50103983667D8B0B0FF339FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.300{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49580-false10.0.1.12-8000- 23542300x8000000000000000104196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E0E262CD51F8B26B7F6166158312F9,SHA256=57FD488D8AB134AA94C1641726104B062E1CD1D5F01002284387609EAB09A773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082020Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:15.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0629D5D435324C695B7090BC0E57BEE8,SHA256=FC1EBC4BE0F71117C4C20973F55FB59E5FB8A5135FCB747A58FF335CEE79394B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:16.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFFF701D02526734F013E1294DDAC3E,SHA256=48920026D11F4833648E199B367CC3CD06ED4C8029EA540099C36AC0F46D4480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082021Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:16.576{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1CBD67188B8FF664A4E02937C5E417E,SHA256=30B459CE9FE42AE5480ACA3C3587B2AEE61FE09C5911775802B611880E2D2871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:16.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:16.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:16.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:17.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D112AD8F1DC83919D02F3F0CA59BDE33,SHA256=F693C9BBD29D9A9779E1DB774BCEA3E6CFA2F26955AA34C2583897EEE784D1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082022Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:17.576{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449A68E94887E1AF9834F893A151C3BD,SHA256=97800217192681BD7016794C85F527902CD635DDF3E260228FF4FEE716BCC5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082025Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:18.998{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E74B06E78A526FAAC4986525AA473D95,SHA256=3823BF01142298CF6DDBEB888156296F373CB2C244D1A801DBD42C1AC5A8EEC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082024Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:15.598{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50070-false10.0.1.12-8000- 23542300x800000000000000082023Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:18.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4654541A78F30C122EC7D3CDC6933DEC,SHA256=006448E38F95CB39B7BE952128DE9D278746D48EE4C1DC974B11D92B95C8C812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:18.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6728076D3EE21E91B9BBAD18ED19484C,SHA256=D173D76C5DF0124DE24FB64BB53C999BDBB5E00201B39170F5E45E0D64D2FFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:18.638{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=5CF2DA39F3C96B2DCC93D748D4BE9746,SHA256=83FD7AE6BD3AA9B52A8C9F90449E9E5AA13F5B833E3D5D72798856B124F29E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:19.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6668E5DD019963A86D0E706C83934A82,SHA256=35C53F20A530C7E65247A413EDE683E409141D981E8C1AD1E8C1C4599550B4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082026Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:19.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C32EACB69D36A7BFEAB668883480038,SHA256=9BFDF698BC227A777DBFF8F37FDC58188080E8684C1F02F98222598E9546E6F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082027Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:20.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D91DCE56F25A10123CF7DEA26456927,SHA256=A597A227C63C7B47CDB3207EEA7AC17E12F0A3C038BA80D4E267465C32B4C2D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:19.299{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49581-false10.0.1.12-8000- 23542300x800000000000000082028Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:21.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D31A31DB82B529C0A6C97ABC004CEEA,SHA256=573357715D40C55A18E8D977685726DFA9FB5A186160D3FF7DBD8BE47B90C61D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:21.498{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:21.498{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:21.498{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:21.091{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF7FAB87F8BE59103ECBF9A19C1E514,SHA256=E74E9E545F65F68324633B32015BA59D06EE24267A15BCA9E6A45DBAD8CF0E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082029Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:22.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EB973DDE65549171E6DA872BFFEFE6,SHA256=6460F4D245988D3F4BA47769D34B553DA900405928E93DF717FD4D4938A3C736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:22.107{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C932309F42B28E4C49FE7E5C43CD8E9A,SHA256=7EEC50EC543718B9659EC81B32FDA1F41FE1EC84D37FE9FC42B4214A5D140578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082031Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:23.639{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E45CB986E756761B21F43BA2B65DD1B,SHA256=12DCE87AED31B4ED42E9136A70709678FF8CD7A4BEE76358E60910152947B52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:23.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4809A01CF6B87A97E4EE66B506B524E8,SHA256=63871A1EE7405C253BA5B3A21E21040D0A1FCD51F00A1D8D65FC22C80F5E518A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082030Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:20.692{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50071-false10.0.1.12-8000- 23542300x800000000000000082032Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:24.733{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9222F85E1EA0212CAC16171A00EBADFE,SHA256=774E3A2D2BB7E712C0237C08D0D36F3E187525C49E3D87E2FC208F69B9E0E042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:24.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903C8493D3097405D2BF8606B1469FC7,SHA256=B96B5AC448AAC3083B8AE532E6B1C472E2B6F5669D1BC0272BF363701BD917C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082033Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:25.733{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315118F378F2F83E41AE7C45AE309C4A,SHA256=A9F9591035B33991B24CCDF1564DB08A38A05D9DD44D875E64FE5445854942D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.638{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=8858F310E0CDA215F3D3774E6D94BDC6,SHA256=861775CF9693963BFB78944B924ADE38F450B85AD788116C61879E0B83DDC144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89DE7D96C9571B58BD27B4EBFA17E81,SHA256=14C6D20EDF12F48A5BE923527191D09E9F182FE5577116E66FDF13126C14988F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082034Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:26.889{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7596FE43EE471B8FFF674EF2E972CF7B,SHA256=0D3BADDC7EEF61F31B07610B8AF23A339F255EA575D8514974A6C2B6AEA3CEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:26.860{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-026MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.299{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49582-false10.0.1.12-8000- 23542300x8000000000000000104218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:26.154{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A801FAFDA79B095D60093AFD3BC971,SHA256=6C2D37BA5009F444727C8D2894F12FF17F0CC8B98A537D5C98DF459EE45C98B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082035Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:27.936{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F799A4D0C217FFA41BBCBF5A8DEDE0,SHA256=0562A849FC2DA17592B601A6529AC5CF9BAA0DC45092E3E102C76D2A60FD421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:27.874{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:27.169{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFADBB953EBEDE4BC9D9C1B7E160E71,SHA256=0E1BB78C94A0FFCAF8B93A5BB98A8A47C7B0213C6DE52E501E82B5ACE20D394E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082037Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:28.967{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009F281E6E70DB9FC51717BB96D9132D,SHA256=141F4B9AD4230B771BDDD099C8A0968F5A632EEDC46890A10F3ED283F67BC342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:28.215{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E39F037B044BE37B33CC787C21C6484,SHA256=0C9F21B45BA3B84E514A31A98FD9F9AFBA6C221ACF7DB0EF1B938893A506CE80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082036Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:26.614{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50072-false10.0.1.12-8000- 23542300x800000000000000082039Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:29.967{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D88A0E9C6475F3D02DF3D42F742B06,SHA256=7D59AC789C16624385D02F54A60999B205AB8A0326C888CB57F777EE48D31A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:29.235{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2106E227F78A027EB14CBA4D4ECA8A,SHA256=585F66D2835AC5113895AAEBB4E1CE4E16231C6E45073BEF9F8CDB0741E40F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082038Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:29.701{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082041Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:28.384{2FDD8D40-AC7D-615A-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-36.attackrange.local138netbios-dgm 354300x800000000000000082040Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:28.383{2FDD8D40-AC7D-615A-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-36.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000104225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:30.251{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEDD1AA091B5DA2840347D695728846,SHA256=9FBDE35219163A228CEA3705EABA94D75668982D5C54D0DFD29B81A80AAEFB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082056Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:29.239{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50073-false10.0.1.12-8089- 10341000x800000000000000082055Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B337-615A-5E01-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082054Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082053Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082052Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082051Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082050Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082049Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082048Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082047Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082046Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082045Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B337-615A-5E01-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082044Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B337-615A-5E01-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082043Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.374{2FDD8D40-B337-615A-5E01-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082042Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.170{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D575856E184DFDFE59354159BFCA73E5,SHA256=FC26815A799A1711F88402EAEF6611BB92BED81C7F8244048D4B1F6827905A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:30.459{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49583-false10.0.1.12-8000- 23542300x8000000000000000104226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:31.266{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92828242E1F7A2C341160556D6F768B6,SHA256=1B09D92D181D997084E4E202E0CC5FFE54499844F4ACEB0EDCA0B2992E4C69AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:32.266{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AAEDC605C5D964757BFB6EBFCD9560,SHA256=0BFCA87B3BD4F6140C65C76E0BA37D9861CC48E2A4CD6B8051606B81EAADC4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082073Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.686{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A755023429F3457D7BFD3D7C66E1C78,SHA256=4D48A7FE7ABBBFF44D0FF08C77D0B6A27F51B5F0F5413993A3DBF881B02E7AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082072Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.686{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745239B2D93C33C97B8345D4BBC89F5C,SHA256=8EFE8166344BE16A05DA53C317A70794B2132D50775A297AE42A8C9D76E660B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082071Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.686{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=977755B2A4ECDE51EE8CB141A698788E,SHA256=DA1297BE2A13B527024F2A5EAA62EB11B732E98CFDCE2C7B154DDCAFBAD4FA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082070Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.295{2FDD8D40-B338-615A-5F01-00000000FD01}40523224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082069Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B338-615A-5F01-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082068Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082067Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082066Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082065Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082064Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082063Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082062Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082061Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082060Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082059Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B338-615A-5F01-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082058Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B338-615A-5F01-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082057Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.047{2FDD8D40-B338-615A-5F01-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:32.063{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DC938AD812C8DC75AA1E2A8052610208,SHA256=864381BB7E28BBA7DB74C17887F7FC4DEB3912F66E476787306EA5A6AC118B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:33.282{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3105EE6D8B9D139A1E05CAC01DFB4EA,SHA256=7A778243F952D532B25BB1B88D80652313D60562957063BFCE9644AE7E836018,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082088Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.646{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50074-false10.0.1.12-8000- 23542300x800000000000000082087Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.295{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9712DDA427A421D7EA5F37FD59F9C271,SHA256=6101CFBCDC98197B5C4C8314FE643EBDC7CC4B4CE58EC0ED7AF4FA050A1E0D25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082086Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B339-615A-6001-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082085Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082084Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082083Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082082Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082081Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082080Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082079Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082078Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082077Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082076Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B339-615A-6001-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082075Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B339-615A-6001-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082074Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-B339-615A-6001-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082104Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.936{2FDD8D40-B33A-615A-6101-00000000FD01}40562396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082103Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B33A-615A-6101-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082102Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082101Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082100Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082099Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082098Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082097Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082096Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082095Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082094Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082093Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B33A-615A-6101-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082092Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B33A-615A-6101-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082091Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-B33A-615A-6101-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082090Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.295{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C731C46A6B6FAF10DFE52CA7FF685D99,SHA256=C8FF655EACD2194D23C0C0252464028151838671B93ED1CD82BC36D6682AA7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:34.282{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F634FE5A3115417A03BBC1EA0E312141,SHA256=32F973D40E1CED921D019C433CE5943467F24B0754E8FCD2FF0EF0A68D8328A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082089Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.155{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A755023429F3457D7BFD3D7C66E1C78,SHA256=4D48A7FE7ABBBFF44D0FF08C77D0B6A27F51B5F0F5413993A3DBF881B02E7AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:35.282{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A251E627832E58D4E835EE90C57ECA,SHA256=409D32949134708078468B7A51AE7CBECB873F0B412BE8AD105ED2B29D07DB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082120Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.827{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06277D7D8CF08B5E85ABA9971035CAA,SHA256=19753B33896A753898A830D822C38BFD1A64CC6DE78AD7B2195DC6BC064B598E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082119Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.780{2FDD8D40-B33B-615A-6201-00000000FD01}19603864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082118Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B33B-615A-6201-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082117Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082116Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082115Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082114Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082113Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082112Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082111Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082110Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082109Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082108Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B33B-615A-6201-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082107Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B33B-615A-6201-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082106Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.593{2FDD8D40-B33B-615A-6201-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082105Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.420{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C012B3848D1905612ADB94C7F7A894EF,SHA256=010AB53E7AC9AEF37F44FF8A50701B29AC2A5C99734D31E2807D67E36C36BE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:35.001{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:35.001{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:35.001{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:36.309{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2F5E7F5BA5CF2C175B5C5B68B5A18B,SHA256=920868B8146B7D87D0D6225D8D8899A43932417C68AA1B653E30CFBDB22ADADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082135Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.700{2FDD8D40-B33C-615A-6301-00000000FD01}36403492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082134Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B33C-615A-6301-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082133Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082132Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082131Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082130Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082129Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082128Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082127Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082126Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082125Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082124Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B33C-615A-6301-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082123Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B33C-615A-6301-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082122Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.498{2FDD8D40-B33C-615A-6301-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082121Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.435{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4827C9D52A2A5DE46E5B64C38598302F,SHA256=917C4B6306F117D9E2957CEA5E7325B9679F5451948FB1C2BE38D92EEEC0E947,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:36.424{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49584-false10.0.1.12-8000- 23542300x8000000000000000104237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:37.434{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2866C384C16051E7DAF10F72426FDCD2,SHA256=DB7BE8B917DD151F3276E6BB5265947459FA0BAA0BAB50B1D0134E70368AB616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082137Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:37.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E6D2A18C7894F03955309659EA2B36A,SHA256=129B19515712427839877BE91F04FBCBFEDF561283D62732BE5E40D36A2EA072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082136Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:37.466{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E4738050E915C7A237A76ED07517D2,SHA256=6F43F9CAC0B42387CE4DC0C2772C53B5E9860C828B21661EA2B2C7C3DDFE0453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082138Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:38.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E973CF02094049007287A1ABA63AD62,SHA256=A1D1DF44E82818BF3748D0712C53F62ED3D2B87B76B3CC51902C7DA2F64999E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:38.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2791C6FFEA8539B2C9516BF4CD2DEE65,SHA256=3BB4DF7B67FD2CC4EE059C95BBC466ED465BA27E9BF3F7FAD0472AC45A99120F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082140Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:37.582{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50075-false10.0.1.12-8000- 23542300x800000000000000082139Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:39.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0625DFA8B87D88CFAF3A2A25AE281925,SHA256=3997F50B2F10CAED5968DCB6465374418D143D1D48A3FEE4CDEFF0A5251013CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:39.653{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=01A9173299D9F3265E2B8FBA3D52FFE2,SHA256=521525921F10586F4CF800186ACBC138A64E0C792CD466BA42BFA31139D2EEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:39.449{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A954076F1E841B94593D6FC5D50DE2,SHA256=AA0A79DD7C11B4665A3E7C8F5E93367A202C6A478ACF0A0C855A78920E7C71D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:40.449{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF145D68A0559CE36F368D66106489E9,SHA256=FCC2932F1FF3E44536A8644154289C5EDE5942D11E7A10DB4FC70781C470298A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082141Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:40.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16411E7082BCE35369F5E488E25215B,SHA256=9F2230B406C9AD205BEB5315EB0F694F5B199B0FF3C379FFF9531323DB22D9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:41.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE87A3E413D9D949F0F8F1E2F783124,SHA256=5DBB3036675BE4141438392C22B98936B2FEE4506E994BF61FBB707F8B042344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082142Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:41.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2B63F2FC4E4C81EBF66F5D6602B2F4,SHA256=D9EC8D6F0C4D9393DD98729400B2B228D07EF3677314929D62D3E91EBC1DAD7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082143Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:42.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEF17061F363142928E0575E58285FC,SHA256=9CC2DE7CD36940689C31991D4B713F1552707B6859D59AF50F45A39D9E43819D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:42.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769DCD005BD0C2ECFBEC2139D5AE81DC,SHA256=FA3B24A41BC1331F18EB16018228F6F133AC3B266F79A5D8E11694C0E19AC288,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:42.439{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49585-false10.0.1.12-8000- 23542300x8000000000000000104245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:43.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF127100C682BED3799680AB092361AC,SHA256=BEE830324B09476D611008F837C4FDC74C4EDC9AC4EF4756588FCBA4088E7E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082144Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:43.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D82EC6213355269AB5B9FE2C18AB156,SHA256=DC095B48F9DCB82A56EA22743A44BC2AF338444F44467B9B91B0B8A541133338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:44.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B95ADA5F49CFD61A121D5C18EDA57B,SHA256=AAC48C23BDCFA8826020EF8D4A05FFB568B28CECECD27CFE69D49475C331AA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082145Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:44.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949F6073DBE3E6EC111185D4C129D360,SHA256=862C16B8D1ED92D84E6634E52A5B9F1B0433B96A4C040BA1E77254AD39DE04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:45.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20DB1FC817188D84AF7C5EB22BD82F4,SHA256=CB8EF15271F67EF10639BF96A5C5D3FD58AD1D7A4C7A2B0195D9844238A27EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082146Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:45.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED39394A7B491B4534F1502284F7C30,SHA256=A808C207BDDB267E079CFCD0287E3244BD126E42B8EF4F59EE41324CD6013019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082148Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:46.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D694D8AFCA081AB2DF1209F160456E,SHA256=168DB5FFCD991DB9EAAD7A98F477E6D5DBB1A3E040C88CCFEAF0B51F43C97459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:46.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49F8C8935230F8D9E6F72C8C607B139,SHA256=4C7DBBA8090F82FD6F3544FF199CD490FB43BC4550E2C7BFEFBFC81C2929716E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082147Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:43.597{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50076-false10.0.1.12-8000- 23542300x8000000000000000104250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:47.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B85F6628D3BCD79E5364545F403EAE7,SHA256=E86FA0F18E11CB5E9E842AFBB010854BE2EBB46DBF5A1BDA987527E725395CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082149Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:47.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E253637B57111AFE7F7517C5443BB3A3,SHA256=161605489C9A08219CEB02E285C25360827FF351D59FB8B468D3D053586DBCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:48.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B7E831202C8BAD6BF64005E3078A19,SHA256=F3917A05C2C1100309ED8B9C1BAC2AD1959FA6D41F1E48C4B9F11CAB2548EB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082150Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:48.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F5E458785530351AE71EA0736A6D57,SHA256=E00326D45996D0022562925DD19AF489E46A8F552B8EA080E328BEEE60E9C2A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:48.470{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49586-false10.0.1.12-8000- 23542300x8000000000000000104252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:49.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9881795BD632287FC4B7D1DD034C20,SHA256=6DD9199F0AF0519D808DD5780121DF47A610D23318728D6B64964E8A0200DBEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082151Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:49.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D74D630619F712A5EC517193856B6E,SHA256=80203DAB0B1E3C406CE504849ACAC7CFCA1AFB4074ABEE948BA55FB3E7BB4CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082153Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:50.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0056CB26F7D4CF3AD8FFF1B39031C3D0,SHA256=F75437F0CDE488AF5A135D71DCE6AE176D6F532AA2529FBD0978EB41D708BE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:50.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597D2B61CFA0432EB953E07516345C4C,SHA256=0B472E39D0AA0D233EDBF042BF5990E78BD44FBA5470490051ABBB0C9393C95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082152Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:48.629{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50077-false10.0.1.12-8000- 23542300x8000000000000000104255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:51.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB39CE559B80078E8FA33760D2D47C19,SHA256=C66752680E488E063D01E99E045FADA5C69CE0D2473C59386958B84FB4D43461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082154Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:51.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19D692B24AF543CD344F1EC22C9285E,SHA256=D0C3F76186D9BCEB61CFF84C4145870AC7F6914F2E6403CC5C7EBA1A015B7847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:52.496{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49145CBC9A3315BD36A9D0EE7EC724D2,SHA256=F2622F272F52FFAB3309B234A67D09263B23999E17419521EDDFE1372ED00867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082155Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:52.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0A51570B445AAA6958A6F749CC15A1,SHA256=260925B4611E4662CA41EC7F0105AA709D2F4021D983583D41DCC9F25331EEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082156Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:53.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A10B63CAEC97BC95CAD51F0334F3E1,SHA256=B416B5B8DF57913B95E77F579AD5D32B324C44362F049B74132D218681F98DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:53.512{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53D0EB756C0FC3E08C7F4AFB0938BC0,SHA256=9C329821A4116A2FDD7E363760D3C4D44D77B72E76428A7A443D0C6BB1DB9082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082157Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:54.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CC516ACEB5536837FBD55A29D5B78A,SHA256=6C8779946A5E42656749AFCA3154CADF30B44021EC26F8FA050D3355D2CFF53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:54.512{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C6B9C58EDA06929F77F7C089CF0B0C,SHA256=3A4A3294229CEEE200E1BE0884595BD6C27FFEF8876E0F7A549009BBC75406AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:55.512{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F811B8E84E2C1289132C0C7E78D4ECE,SHA256=5DB25F624596A68D78BE32F64BE857B5A666E8E3ACB7E39F46D9328B0747C467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082159Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:55.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15EA57D82B1E24A787FB74047926839,SHA256=3301A8EAF46A42882E26671E61B4C19D78B6B4061A35476491E4497F09E2F1CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082158Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:53.754{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50078-false10.0.1.12-8000- 23542300x8000000000000000104262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:56.891{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:56.516{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3E823F0FDED5DBA675A478EEB53E8B,SHA256=467059A667C9368E213AB404D16C9FCA2F43F43E0A2BBE5388EBBB5550B09E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082160Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:56.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9481AA36AAC5AE0A98E78BDBD40B69,SHA256=6422626A17026D5E87865FD4C4317D19815295A456B569C888B85D4A3C2624CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:54.392{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49587-false10.0.1.12-8000- 23542300x800000000000000082161Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:57.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262ECE8035AE2C6452FE72D54B5F1B6F,SHA256=2E3945EFB72BA11F7AC264DC6B86E75BC3DFB6CBABC9E55369AB7279C81DD1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:57.516{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FBB27D650973D6BF380AAB0947DC0C,SHA256=0249254D94A9582F05B27CCB29DCCBB172D294697BCE9E815C6ACA7C956BCD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082162Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:58.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A91D184FB12D9AE0BE0D97FD16581D,SHA256=8FC27603670D80230FAFD608F9ECF657AB4C77FC618A256DA842292ACEAB5296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B352-615A-E901-00000000FC01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B352-615A-E901-00000000FC01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B352-615A-E901-00000000FC01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.579{58E9C193-B352-615A-E901-00000000FC01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.547{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317CD1326781C8EDA331FC6162F234EE,SHA256=BC15ACC38659D2E942BDA6F01EE5224F08D7DAD94B419072D9EBE48A6F06A4E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B353-615A-EA01-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B353-615A-EA01-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B353-615A-EA01-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.564{58E9C193-B353-615A-EA01-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.547{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F175D1C4A67CAD602ADAFEBD357E67F,SHA256=9E915E52D6800F41ECD5D123168985A3937E54F56D9B842B2E7054D272F251F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082176Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38B00EBA9F787B55F9F88A6D4D44D11,SHA256=AD5D6748F95C762322F017508C1B15BA5D8D639D9E8F07E131353DE56F6C9757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082175Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B353-615A-6401-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082174Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082173Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082172Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082171Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082170Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082169Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082168Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082167Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082166Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082165Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B353-615A-6401-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082164Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B353-615A-6401-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082163Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.002{2FDD8D40-B353-615A-6401-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:57.115{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49588-false10.0.1.12-8089- 23542300x8000000000000000104274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CDB0E350962B2C8832C39FE4114F7F1,SHA256=78984689178E52A5DFB14DA012251ABA172A3C2ABDA84E5A1C8CC44A9D6DB807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00589E601F2F9B0C5AD15879A13C74A,SHA256=C81BCA0C558BD612B4D6DE5BF379228219521902102B7EF6EC66776437F6935D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.563{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CDB0E350962B2C8832C39FE4114F7F1,SHA256=78984689178E52A5DFB14DA012251ABA172A3C2ABDA84E5A1C8CC44A9D6DB807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.547{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB2161964C9A8BA084F9CF05129C1A9,SHA256=7E676C93C8C9E76086AAFF76B7DA69460E18E1864BCA8B1C541ADDB3C9DB5245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082179Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:00.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8237C124C7755D22EA3BD739DA9C5F7B,SHA256=F0AE49B7BD0B66A5CB7114A2BFD20643B6579F07D27BA4A3DFEB29C984B350A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B354-615A-EB01-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B354-615A-EB01-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B354-615A-EB01-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.454{58E9C193-B354-615A-EB01-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.271{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49589-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.271{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49589-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000104285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.985{58E9C193-B353-615A-EA01-00000000FC01}3388416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082178Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:00.033{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A004E0C0CBF25DA65B8316D92B537C9,SHA256=70D2648CFBC9CDABE72C83F69F35A8BEF12E3688A1A05DDCB614A93B6B8560EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082177Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:00.033{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF57FB2313EB42416027A592FB3A24B6,SHA256=E839AEE92604109E5CE29A7B36958A52571C4663DC6002A09131DF465E05D10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:01.562{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891F18E1DFC04688E9C02CDAC6F1C580,SHA256=F2CE7ED1A7A06C76DBD37B031FE5E62E9590BBC6A1601B553A2EC4F005DFF6CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082181Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.711{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50079-false10.0.1.12-8000- 23542300x800000000000000082180Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:01.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D57E44F68E89430CED0362DA38BCA93,SHA256=D990BB57A59EAC7BAA938EA7F612116B77C444715E5A5F11A99E2E614BB07A16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:01.328{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.459{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49590-false10.0.1.12-8000- 23542300x800000000000000082183Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:02.740{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-027MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082182Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:02.644{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF27FB03F108A3CB8FEBE4DFCDDB125A,SHA256=027D8BDE9D3772BF0678F3E6EC61396F8C72F8A7A02E812C2AB1BCC320CBA29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.578{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6CCD02DBF1B0AEA923817EFE1607E9,SHA256=C3DAFCD8E1DEB69AC233EE7B869160DF6CAA67C524CAE6E6EB9C9B9506A3DB60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.422{58E9C193-B356-615A-EC01-00000000FC01}55845292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B356-615A-EC01-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B356-615A-EC01-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B356-615A-EC01-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.204{58E9C193-B356-615A-EC01-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.892{58E9C193-B357-615A-EE01-00000000FC01}57605844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B357-615A-EE01-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B357-615A-EE01-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B357-615A-EE01-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.705{58E9C193-B357-615A-EE01-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.656{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DBAF6B267F4D886F7B066E5EB75BA6,SHA256=25735FDEB620D3122413CEB743802FE1E5E6C00B35417CF6AB8A3170DE33346C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082185Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:03.754{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082184Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:03.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4333A3B1B6D2A64E2E59BA0D207D58,SHA256=738CE9C6C048B757BB57BBA32326D16A4D652F8EA70969474221DDE7D163CA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.359{58E9C193-B357-615A-ED01-00000000FC01}52965636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.250{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13300F684275456DB57FA363B280D4D0,SHA256=07D1753E71F7D59CA7CCB6AF7FD243BA7A1D4C302AFA527DFE8E7BA870B1121A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B357-615A-ED01-00000000FC01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B357-615A-ED01-00000000FC01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B357-615A-ED01-00000000FC01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.188{58E9C193-B357-615A-ED01-00000000FC01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.047{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.047{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.047{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:04.703{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598961718E4B3218BA18143F3C857433,SHA256=3D25C19F511BE33FD94AEBA22A58241725486FBDBAE505484DCD2850A5231D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:04.687{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CD736CB056C74351063EA78AAD2049,SHA256=79CD217953813322BD1CADE7CE273AC63CB768953C5E291A08EB88978D8742B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082186Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:04.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8CA8DD39E8FC0A2327BB9908287922,SHA256=61E8B025F01D609F6FF5CF4A0ECA1AD1405464B58AD22A09B563DB5295E15A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082187Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:05.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F730C8EF1867B6A4AF4460DB060C32C0,SHA256=E2C8C9FE6653D2734C14FDB0709B0B48B25B9426C9C706218F7C3CF347B21EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.703{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958F550B02FEBD9FBD3242722AB53D73,SHA256=066E9D84C2C3BE8F3D28919765BC663738D0901B43E9B00B8C69F2540A0333D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B359-615A-EF01-00000000FC01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B359-615A-EF01-00000000FC01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B359-615A-EF01-00000000FC01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-B359-615A-EF01-00000000FC01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082189Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:06.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E993F69A206BCED52D205AC3BC21D18,SHA256=E286D2B7D2A861DD22D10F5317DC8660FD7F5038EE374FF4122BA974DBD8396D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:06.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAF449D16BB3C0F007C7E130D91089B,SHA256=2A17E98979ED7698A0E385DFB036CCBC21B08D178BB928C7915829790BB746B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082188Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:04.728{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50080-false10.0.1.12-8000- 23542300x8000000000000000104345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:06.375{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8391E0F856BD6BBD4A255D4A751A646,SHA256=D63234D83B0ED53EBEA699053E055AEB7DFAD6FD9D51FE5E267BC0C761951895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:07.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E509685CD2DD23FF27EF8D5591E623FB,SHA256=4B08223C99153DBC877F0094605DF86852560565E53BC88A49BAC846DD4650F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082190Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:07.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7963874F34E0976757ECC47E4898E02,SHA256=B3242CCA4D73FD0A13168A6708CDB6A3F9ACFD58056E31105BFE444E2033E9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:07.703{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=7C34B221FA0E838548D0D21B519A1B38,SHA256=B4DADA4CCB6E3E2885CC8D135DD9E556FD4376EDAB962C960268E8BCB424BBBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.302{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49591-false10.0.1.12-8000- 23542300x8000000000000000104350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:08.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CFBA54FA8176C6138E1D3C4C86DADB,SHA256=52F30D6B12786C3F3F661485B6C42B3BAC8122A405E3F4E955C7AC1F4691D00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082191Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:08.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A30E17A10D73A536D0FB0AA362709E3,SHA256=99B90EEE5856FB3F58215F2DCED9649C786E95FBA30EA10A0E881D0FE18CAF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082192Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:09.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3213B396C7EA6A315001391CE1A522,SHA256=946FB9B123E366E19AD180F6926C734161E2D803050A60AABD46A1B3F5819DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:09.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DF244442803A75E4732C132397D004,SHA256=99F7AC216EC73939BDDFCBF28386C31D00F4701CE87C1F06011A3793AE9D262A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082193Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:10.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ABB611E5698E22F02D0F58ACF63815,SHA256=CF5E358269702CCF431BC86530F844FF64C86BBE713B82AF60A75265FFAC761A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:10.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9118AEBE333BC8721B4B519465A4E355,SHA256=15721EA367E8BD735129ADAE2CBB2C5E9D60BEA48D79CF35556ABE4DD30572C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:11.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4759202915DD5D042D4CEEFD0BEF6B3E,SHA256=412A8332E1E541B8BBCEA4348F9D33F3ADA6BEF6BA4B8E6AF01901C3CACE01CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082194Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:11.675{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37F479471C3D3CEB940A62C8CD6CE8A,SHA256=DB3B14A8FF9F47E1936A71569A475DE39ED3614B880CB396FA99F31377A8B28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:12.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC8AACC0C43B4FD61D53C78EB988E8A,SHA256=99A5850AA392D79B1FC1CE5F0EB6D357C3CC764C141FBFA11E299FD231178446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082196Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:12.675{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3508FA46CBEABE349C046FFDF7ABD62C,SHA256=36104D040E7C70CFF7B185E0E6EC6BBFE57AAD1E05579AF0642E503706246B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082195Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:10.697{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50081-false10.0.1.12-8000- 23542300x800000000000000082197Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:13.691{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F53D9BD6DEE33E55CC051683E01DFB,SHA256=4D56149B00886E2A3DDD75196160AA3004E4D08035DEDD4D4CF3170C9BF0A8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:13.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EADC8134B302970B3B56279FD43160,SHA256=34800D736422CE8AE97F7EB9E7ED3270011D139CFCB3759369DC88F2C1A92A82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:11.271{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49592-false10.0.1.12-8000- 23542300x800000000000000082198Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:14.691{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E273B986854174FFB0B217EB1B69EA31,SHA256=C0538326FF8AA0B9BAE66FBA3575A6638B3BDFFD304FD17F8183A8673EF4790B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:14.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4654776F195A6871AAADE3DDB74AF77D,SHA256=BF2D6C70D298434645ABE7001F2D9EB251FEBC91508144F03A6D13E7D192CE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:15.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B741E6307B66C16685C29DA6D6FE957,SHA256=A4BA017809AFFD511F4BFB2A8EA7FAAC4A3184EBA38B4CE43146D5EAF4735A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082199Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:15.753{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0315454D6694212A3BCF89612DA08F49,SHA256=8BFBA3423802A4DBC9FD9A2FAF21E173EB9F64DCCD3D4D786E1617D7C7FED015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082200Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:16.781{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3ECEB4CA1ADB0FB3025FC1B174F11C,SHA256=4CDFC067067DA3A54226BB482FD4F87496446F148D00CE7986CA9B44F70ADDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:16.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93A7AE2DA660DB3A0B9D7F32D08E753,SHA256=3D38EBD688EBE3B932B11C37831CA1BBA49338198D1437E1188C261238D5C96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082201Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:17.781{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FE7AC4EA9167AB98F35DCD184B45C9,SHA256=370810B7282BBFA354E7A79BC41639E1623009A711A34973EBE50C288CC534E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:17.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF90456A84B00FAB122C4FA89F781CA,SHA256=F1DB240A456DFAEE7F5D0B733C79089128E71EFF87CB09D3C4F2509398E3674F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082202Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:18.830{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449BF75E1DA2FCCF453557FAF7A24D22,SHA256=98179032985BD813D9715D253E197C605DEDE4B2FFD4F61AB2BFF93E20704355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:18.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC999163756E5C564678E1AC77E6C45C,SHA256=74949FB6118E3582A1AB2268D0E22653859A3A0B3C172CFC3995B08E00B890E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:16.379{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49593-false10.0.1.12-8000- 23542300x800000000000000082205Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:19.969{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7372E0CE7BCC548C8AB21A29B7FD0C4,SHA256=A24AA3CEA8721752AD16516F1144BAB33796F5CACDD23F5548DDFB6D95CBD153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:19.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82341CFC94EC8A854B083302F0E60EEE,SHA256=3D426A7C7647499BC94E0525220203FC803221E72F4E4A83192E4CB5E6A00F60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082204Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:16.631{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50082-false10.0.1.12-8000- 23542300x800000000000000082203Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:19.000{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=331F66A65A1D3AEE144CFBBA5202531D,SHA256=A9EBE628F834A44258B59A29217578C9CCFEA12B5BD8A2A0091FC1C922227180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082206Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:20.969{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2BAA400B22047F20B20C5567E84633,SHA256=DBB295853ED0D49B8FE1FD0880B448CC45344A7800152B6CFC84A324046618DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:20.749{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7A78BD21A23EDFF43A4AD49A39CD53,SHA256=8A5280F66B82144C73DA4408DF549F32F27539C7A50713ECB5BDAD07514C5ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:21.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3FCB291201D2AAC2DA94EB22E7D035,SHA256=694811F5559A440371C663BDF1831F65FED3E9D03B19AB690193836687FFED63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:22.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2B172CAB6703D5F54FC1C13EFA3738,SHA256=E6D8EE1A33E050B9A32E3AA3BDB376C74A36271E69E615C39B5628ADE3FB630A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082207Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:22.031{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDAA9703E363CCDB9DB257CDE39E673,SHA256=49AB161ACE51ED55C2CFBD0C11D33D5C4829AB3D67DADBDFC45E5416440A433A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:21.411{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49594-false10.0.1.12-8000- 23542300x8000000000000000104368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:23.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A6015B63EFE393689A9F7A693C7F07,SHA256=BD0CAC6EC967C205BA38E8B9AB7C94DCEEF989ADD1F18209C475B22CE8F02AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082208Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:23.141{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A1BD6C434009826B7B81E65527BFBE,SHA256=E960A151D805577D94F67F7B55CA12910F32E75A4123BD71229939197BDBD975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:24.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDFB6639033EBC1413004118650C5FF,SHA256=943DB76AE0C003635EE1A3E78DA70E39DA51256C2BF19C08EC16A3F181DA0F3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082210Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:21.710{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50083-false10.0.1.12-8000- 23542300x800000000000000082209Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:24.188{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF04E54EC3CBD57328DE02F4F488669,SHA256=2B4DE3135135A8BED606CCEF903DCDF96C90A4C7C8AB1123D679B524B28B857E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:25.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8AEE1421CE0CF10BD7C4EB9F95D5EA,SHA256=EF48621BC76F029F18B14875ACA4985B786B1E9A859233B4A67270EA6F84F964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082211Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:25.281{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9926B562A509E6C3AE86C23B7500CDA6,SHA256=00842BBE93150F7C4F35F741D09C350E084136B7EFA93A4D0DF5079A449A094B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:25.030{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:25.030{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:25.030{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:26.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBED469C3F2B0ABF36A96E48197815F,SHA256=C8955F470ED18BD1B70614CC857C0900D711D9C7374A890BA595A4DF44D62F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082212Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:26.297{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FE89EC518A5DDE7F1EF98398898FB5,SHA256=B71E1B94C74A5A059BBBCADBC147F10ECCE1D432ED4400DBA6049671F455BA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:27.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F014B12BEB32B64DD18C4973676C3B6,SHA256=5822E4C749879698D0EC0AF6D094007E42926DBB1271833CD9CECEC7AC666143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082213Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:27.500{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1121354049F08191B09606F84082C1,SHA256=093005B32B87EC465D0F6EBC3FEECAA24103CF797A4D3A82050C03DB00117BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082214Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:28.516{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D411C2B59042B882CFDD20218FE9F08,SHA256=D6188EA3EDC2DBD15771B3D20C875BE8E146C8F24A5D7CF5E92A64A67BFDE89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:28.779{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DFA827D17AF53869758D386C63A25E,SHA256=2275EC44763555032ACE25C7C6F69B8D8B11C9833CD10230ACC09D61A9126856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:28.732{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=9619F8D93851E867E37FA3EA526AB825,SHA256=DEB93FF6A2BB1A19D4E5939F30C2CEF1146CAA46CDFD2DCFF2A24A01D7B208CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:27.301{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49595-false10.0.1.12-8000- 23542300x8000000000000000104376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:28.393{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-027MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082217Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:29.719{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082216Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:29.703{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652D6B33767DC3721E6D8E50325C7772,SHA256=C3E17B8C444EAD076825C87C6DEF6C762190E331F2B87567602FEB7D62887B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:29.792{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA0F099B214BEC97D12D7D9BB0B05BF,SHA256=6C96AF5218E5269153F957E86A930941E49CA5FFF83726C613ABF5CA3AA6CADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082215Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:27.664{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50084-false10.0.1.12-8000- 23542300x8000000000000000104380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:29.405{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:30.796{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF308F96D8F888691AFC556CF83329C9,SHA256=53F749F0F288FE7749A6951FEB6F4839727DCE92B0DEEA4341706EF62D194926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082218Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:30.703{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9903C9CDE246844E95AD1BE11D4C18D6,SHA256=461A25A02B50F536426C93980777E041B316929ABA282C92C7EFF519CE75DDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:31.812{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E261F8C3A2FC8041045E6D2ECB1D7116,SHA256=362A0A8D1E4E4DA68798E960E5D94FA50729F4C8D17B9E783695E253254CB405,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082233Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:29.257{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50085-false10.0.1.12-8089- 23542300x800000000000000082232Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.706{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2F387FC0C40A3CE69118CC318EE766,SHA256=3B88DA3EBE4A1309CD1E912F33F47395A444DA4496BE2E382BDF5D633E115439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082231Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B373-615A-6501-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082230Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082229Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082228Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082227Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082226Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082225Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082224Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082223Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082222Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082221Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B373-615A-6501-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082220Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B373-615A-6501-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082219Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.376{2FDD8D40-B373-615A-6501-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082250Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.719{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEB71095173E6510A730153A62BA7BC,SHA256=C7C77C86256E04220122056365890AE9334E9429D4EE3D5EEC629B86B55EA168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:32.812{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7FE971C73A2084A05D31568095D0C8,SHA256=60BE01412EC57BFED41AE8383CE1B312DDFB52E53DC1841E5015534E35D0F87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:32.077{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3F0EC277FAA84082DE1D0D81A9D32C36,SHA256=E33789FBF0A04B3470467A17C14BC38BDCDFB5D97B762CBDB621CE5E170C949C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082249Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.391{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD05727232D80F1FD5AAF5149925092B,SHA256=89632D73656130828A6FDEB086909F1E2C3810D410494119B9B85A1B9DE0AAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082248Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.391{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A004E0C0CBF25DA65B8316D92B537C9,SHA256=70D2648CFBC9CDABE72C83F69F35A8BEF12E3688A1A05DDCB614A93B6B8560EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082247Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.203{2FDD8D40-B374-615A-6601-00000000FD01}39482388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082246Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B374-615A-6601-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082245Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082244Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082243Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082242Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082241Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082240Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082239Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082238Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082237Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082236Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B374-615A-6601-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082235Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B374-615A-6601-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082234Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.001{2FDD8D40-B374-615A-6601-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:33.812{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6E5BFBD527C039FE1B7703D52CA628,SHA256=232A99B37492EE0157C0D990391A9FC50D458AD9BAD00A7956F45784D520BB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082264Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.719{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC06E9FC247D41269036AF1E560535BD,SHA256=171B61DB56A14A6298FC61FF9398013558E625DACC7F22539D7B4CBC35AD4184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082263Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B375-615A-6701-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082262Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082261Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082260Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082259Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082258Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082257Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082256Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082255Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082254Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B375-615A-6701-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082253Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082252Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B375-615A-6701-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082251Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-B375-615A-6701-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:32.302{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49596-false10.0.1.12-8000- 23542300x8000000000000000104388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:34.827{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC03D079517954728FEF45FFB515FFD6,SHA256=271F7ED41259A10006AB5C0DF60E4D4558F2EEDF9B7C162414D867146E3CB944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082281Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.985{2FDD8D40-B376-615A-6801-00000000FD01}32003684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000082280Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.757{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50086-false10.0.1.12-8000- 10341000x800000000000000082279Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B376-615A-6801-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082278Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082277Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082276Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082275Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082274Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082273Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 103410