23542300x80000000000000001060557Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:26.834{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E1BFD0F223A6318B58E64D20C5B8CD,SHA256=64FEEC53740D693D1B8316EE544097036B922EC41D65F04AD233528BD93BE333,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060558Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:24.973{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54740-false10.0.1.12-8000- 23542300x80000000000000001060559Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:28.193{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029E5996CBF786CF6F00200AC23F0317,SHA256=094555C06286A473F59D15316FBA1C497D19D2788C3964AFA60110730EEAFC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060560Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:29.600{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FF49519423F5A603E6841A08331D00,SHA256=581FF8040857E5CE0FDBC4C35D207BC21BA21EB3D24DBA3FDE29717432B02B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245122Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:29.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3BD2809FAF5003D27E69DCC7B2F102,SHA256=879924626B6888386AF1C2B1FB7A33599FF1C494D14211F5B1EECA05BDEAA036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060561Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:30.959{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FD4D8BC3710E0B7B378985E767888C,SHA256=9B9B95867DE170512251AEBB97139042657C980228FF2A1936D227AA29F2FB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245124Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:30.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5257D1B08B2638CAF08B5342D887B51B,SHA256=31E2C0A174FE826B0CE747E7B2B6BE23529FFF6972F9EBD528FD35A57CADE0BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245123Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:28.675{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64729-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001060563Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:31.819{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2E00-00000000AF01}2196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060562Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:31.647{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CC2DBFF21E90B7DEB489FDBC9F69705,SHA256=2AFF5ED882E34ED7C4A00809B37DBD124E89C5F3E02E64A0D32E55A7A695A9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245125Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:31.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F2B8CED26E423699D569C68EDEBACA,SHA256=B9A48C21686DE5056602048EC3E39818A9A0724A8E7FE86BD5D4EBAD2BE26377,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060565Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:30.098{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54741-false10.0.1.12-8000- 23542300x80000000000000001060564Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:32.319{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B404DD416B0D74ED1673EE19F0CA1704,SHA256=91D729116590FE8F5C68A525373BB160724D71060DD20CA60D78E6DC40560641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245126Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:32.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA54E38082CB976145094A551CAC2018,SHA256=777D8A025148AB811C6C9B8CF9AA6D72E5FE724EFCD0C25122186A2AC70C0253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060566Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:33.679{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1760539990364E28480AF406332644EC,SHA256=6DA7AEC40BC965096BE4F92DF62AB6687499669A18E468198023718EE2E5DD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245127Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:33.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C607C177ACB71375C67CFD0ABA2078AF,SHA256=15D949C10D88335236F772BD0D256F0C1C60EF1C9AA3732E746018613D0F15C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245130Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:34.605{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68304466C49971170F7C047CE047CD6,SHA256=DF9DA474D9A9D383A7439FEF3F51DB8B5E978DF781B57CB90B1C2DAA5167839C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245129Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:34.293{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2379F8C926FBF92057B1FB817A5168,SHA256=6C7CE1D04B0D5C133F4708A6B8960C52BCE5353D43465DD4F0242DF7C27F584F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245128Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:34.293{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65725C77294AD3F175264EB9ABE1C23B,SHA256=C89BE16345172801227AA6620D7C1900E14C30268622DB143E716FC903ADCAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060567Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:35.038{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236EEA8635578743D6CBDA5A81CD0226,SHA256=20A14E2A86F3DD672C81E777332415A2FEA95F0D0B6C0FEED357E9DA14B19976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245132Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:35.621{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76ACFFD846F621075D562B1D3A7D44C1,SHA256=99B9858C60D112F83169721B9FD6D2DD49766EDE887E511D9DEC077E7DBAEF04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245131Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:33.690{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64730-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060568Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:36.398{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076AC866CB36FA6E766FEA3212EF0D4E,SHA256=6479765B64A5C0F5D9DCEC3B170657EE4CB8C3A68B28CC81E35D2761948C1668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245133Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:36.621{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CE90A4E3E0120816639193E38B5CDF,SHA256=C46C5A0ADF7E5179F0251B9BBD6B12537B510238B8007A22158DED9782736029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060572Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:37.320{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060571Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:37.320{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2E00-00000000AF01}2196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060570Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:37.320{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D300-00000000AF01}6052C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060569Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:37.320{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D300-00000000AF01}6052C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245134Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:37.621{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF260FBF10262A879E8175C1FCF0FC8,SHA256=A8AF649713C1376EEB2381BF0B90F3E91F352E033CFC0A468214EF8C735ABD59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060575Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:35.973{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54742-false10.0.1.12-8000- 23542300x80000000000000001060574Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:38.476{7F8C56E7-4F98-6063-D400-00000000AF01}3720ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\3720.xml~RFae53e.TMPMD5=E210DA0F304440F4891BF54909C19C98,SHA256=B43FE905936B0150E6255A077026B1F44D6EB79DFEDD0662E47A023D849120A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060573Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:38.398{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04CD29DCEC22A6B742465AFFD0E43ED,SHA256=A8302DEE7202ACB42B4EE1DE3EFFD4D40B85425B15EA3327CF10B3682E184758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245135Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:38.652{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCC7FB3062DF5C9B21AA3B4A7E7567C,SHA256=2F6C4E90FB840A73A5FEB90AA30509A4D91B2AF86A61D9AC0683C87EBC9C343B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060576Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:39.227{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245138Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:39.668{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC92DF06CF295197F5E9F1BC90DAADC,SHA256=7C39D3DA2C9532913484E746C9A98750989130D55BA7B38ABBB57C5727D5FE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245137Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:39.293{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BFEE85AA0676BFDD56AEADAA098D1A8,SHA256=70764C4462C91E222F15110E5DF1121603AD57162C0B0D322451602A43C0181C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245136Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:39.293{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2379F8C926FBF92057B1FB817A5168,SHA256=6C7CE1D04B0D5C133F4708A6B8960C52BCE5353D43465DD4F0242DF7C27F584F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060578Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:40.977{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060577Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:40.024{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB30FD04BE11995F6CB4E4CB0AC14A95,SHA256=1F9269C518CAA236B9E93985EBC739DA07FE76A558C810EB0F1ED9E945287E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245140Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:40.684{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A0043238FC0C9D7D99A731358E4494,SHA256=9A03A24C3E76672C97636CDBEBA8DE1AADEFA743F53EE0C6FDA685E5C9583BFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245139Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:38.690{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64731-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060579Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:41.399{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7CFA11B2A170C1D7AD87D1DECB30AE,SHA256=49D7A7FD7C9D40BF77BD08BC7B7D1037FDD92E7FDCFD46DA776E19B86DCEDBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245141Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:41.684{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629B688E3C512A27D8594922E8F70B60,SHA256=BC87421B4E1B92B91C51C845FFF9072674B03916F8008FEDB8E07E387CAAC72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060581Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:42.805{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DFB8AE36571DD6235BF01693EB34B0F,SHA256=646368DFF8D8C698FF76120922C906F22A56CC4B162629A854F425773C648225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060580Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:42.805{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA4FCEDCB8D27C85979BCBC2D848552,SHA256=C658A14471A1CB560D2631BBB5633110AD47D46644A02982AEBED64B49302607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245142Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:42.684{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD9F9CCED2FEDFAE8CFDB725D1A3095,SHA256=50F47DCBF2BAFB589ACE71E4256DC65876AF2F53AC5923F45CBF0F0777EED75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245143Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:43.746{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9D01ADE757975BB68EEBA10F75C22D,SHA256=688D6777D93E78B59E1B5B7FC9FFE80F8A8F95A3F1EE98981266D9D6717B6C65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060583Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:41.957{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54743-false10.0.1.12-8000- 23542300x80000000000000001060582Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:44.165{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5AA7054546E61C50C44F1E009966FA,SHA256=7A555020441E0514761F8A215B1740D69281915A5D0F267C2EC6C3FB3CD1A34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245144Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:44.746{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05C8BB7CCB51D2EA7DF843B6BC9203F,SHA256=284FE2A251EBFEDA05BC077A6D6A1D048EBDBD99E5DD7512131B1198C235377E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060584Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:45.525{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59098FD8972DCE433AA09B207C464A7D,SHA256=260DE8E60A7EE5BFEE1EF0E83AA9A100ACD4847E8D49594742F28FD90E5F3CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245148Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:45.809{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1087E904BD0C79468531BD17AFFC0700,SHA256=D60E422B5136A77F7C47BA7A81EF8925FB2D02320ECF287092032AF405D66208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245147Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:44.487{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64732-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245146Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:45.277{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ACB3ABFA897E2468AB40A489960B0C2,SHA256=D552894061F2262873C2BB797D4D0813D91FE28CF0DCF3A2EC089047C895B17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245145Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:45.277{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BFEE85AA0676BFDD56AEADAA098D1A8,SHA256=70764C4462C91E222F15110E5DF1121603AD57162C0B0D322451602A43C0181C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060585Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:46.884{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D60C896A4B0FD32CF0D2FFFA6A86BE4,SHA256=7FF7F50FBDE528F5FA17F5AAB4A5CF46D35F6289F767EEE7C83D0290F04B58D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245149Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:46.840{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F42989D9C5C48B202113DB00BD3C5D,SHA256=14EE048E56CF573787BC27120DF17F619CE0C6BC85976D124EAF6ACE1FA9E4B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245150Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:47.840{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B890A928A7E503B11E18EFF5F96685C1,SHA256=D94E90AD5CD77980BB639BEAC0D13F9C02DBB489D6ACA12FA8A719A86C096E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060586Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:48.260{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC5D4A07B6FEDC89AC493594FBEF2A9,SHA256=8759BA64526F81A414B44F004F316ABCEF2932E5C72842D12C1743A73E3BF819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245151Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:48.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B43559C5604320C7D639EFBCAF21D1,SHA256=489EF640F60C20AFE7BF4CE722D203297D593F1F1F529A74BFD151AD2D36BF2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060588Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:47.067{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54744-false10.0.1.12-8000- 23542300x80000000000000001060587Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:49.619{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293B31387A4B5A487B87EF519A52B1C6,SHA256=DBE2D403F98824BCD713A9BD094195B7A28D2AB5F1371D5773B96FDAB01CA545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245152Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:49.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE4604CA316A2225BC14A2C771F6A4B,SHA256=6A99BC25D6DAF55415338D57B11647293CB7B5D981ABFE46D319CB7C274A646A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060591Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:50.979{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005A917DDE5099447CCD24BC673F2F72,SHA256=04E8C64922105C72BED0048927C10516C8431540B90312D724128BBBC4D900FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060590Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:50.229{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4F98-6063-D400-00000000AF01}3720C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060589Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:50.182{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CA16EB5729BA31DADD969CC44AB76AE1,SHA256=DFD69960C710EDB60AF5634106BC7466A109330327AA3CE0CDC9388EB85A8E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245153Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:50.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72E0542B1D5D5AEE90BF555103ED4A4,SHA256=43C087B16D3C360DAA674A91B399033882707E696854AF1DF41FB26FED7FD075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060593Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:51.651{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB0AA5FEABDD9A04FEEB1EB78DE2B66,SHA256=BF3BA5D39C429A9BCA0DFE23C6540B67E0DC79B2468CDC8A2CC327157931CFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060592Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:51.010{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245157Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:51.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44928545F268395B85E82203B86D52E2,SHA256=0414F38C39669A20AE82564FCFA5DBBEFDC80856C8AD0FEA8684C656E973216E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245156Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:50.519{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64733-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245155Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:51.230{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81FBCADA6046C82540B047D21F109AFF,SHA256=9D00B60570B752E7E76426E72862ADCFAD648D745984BFA8D887F5FF0AE30052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245154Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:51.230{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ACB3ABFA897E2468AB40A489960B0C2,SHA256=D552894061F2262873C2BB797D4D0813D91FE28CF0DCF3A2EC089047C895B17B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060595Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:49.848{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54745-false10.0.1.12-8089- 23542300x80000000000000001060594Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:52.338{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE0720B7C8764B4705B6F6A8BE0C732,SHA256=7179865828566F7360AE5D1A5D8B9E1DE4355DDA842A20DD6A36F57159E1C5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245162Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9292EC95B418BF4FE191E5C3420B8C,SHA256=EA8CFB1854E612F65A5243495246303BF25E90199B5B212D2C6E189D8024DD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245161Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.652{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1F514599832E76702B5F1248C69C12DE,SHA256=386000390926FE1EE89C8959757B59F85D666D42BD0DEE2B106EB3A1D58F6E96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245160Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.184{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245159Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.184{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245158Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:52.184{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304B-6062-1600-00000000AF01}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060596Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:53.729{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DC7B43DEE529CBECA34FD55F58B15A,SHA256=81B69C88EE59949DD652A28DB075E867292A9C4C503EBE6DBCF6A4E09C94718C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245164Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:53.934{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245163Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:53.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6507F6C8CAB637DE10A816D61B119DDC,SHA256=93B39A4D0F8FC4FBA03A9D6F9B74A18F89AF0B99E9034F446A87B2CAD9236A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245166Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:54.934{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81FBCADA6046C82540B047D21F109AFF,SHA256=9D00B60570B752E7E76426E72862ADCFAD648D745984BFA8D887F5FF0AE30052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245165Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:54.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C32EF40F2D9953F27C1DBF979D5ECE7,SHA256=ACC9BD66679BCA911A24DD46CB19470D03C6FC752C1FD372FFB7CED612693E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060597Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:55.104{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C46A3B06C8C7D73977A7A9584DAF740,SHA256=95EA4E6E47A1A28BEB8A8A908F8CD57EF07B2110AEFECD26388F6C836E015E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245168Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:55.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5987892909FD3EAE13E2E40357118B,SHA256=6FD26B39B79D5680BB62BADBCBCFE3F6E2E75120553CEB7FF9197C38ABFD7305,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245167Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:54.347{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64734-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001060599Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:56.464{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EB033187AE5C3C68C4D253D43E1D16,SHA256=BA97F5FBFCD2666C1687891A60393482DA3C7F28C9687EE4022B83EA9D36C9B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060598Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:52.942{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54746-false10.0.1.12-8000- 23542300x8000000000000000245169Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:56.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEDA4A620290DAB8D641E24DE9004BD,SHA256=1462B81A431CD1B88BBEB976877D9B47E4D840CFF72B03EA54EA0BA868B5D8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060600Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:57.824{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CCEDCED8A47D9F2D0228FAA050FCC7,SHA256=EA9A7D0FFC8B675FF97FDE0F85298E06D2119597E182D54BB997AE96F1F4A27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245171Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:57.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7911306F130DD6C389B7B1FB70A6ADD2,SHA256=E215C20C63A6157D47778F4B8E9F2B51544DA25D6F03CB5CA9459DCFD9F64F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245170Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:57.105{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8E88BCDCAFE4022754430AD8A9480FE,SHA256=1B1FE09FFCCF5E8E94A7A79821EEA105D9114C12E12564C7BE179AF86B2B5093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245173Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:58.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4636CEC88D27E8F9BADA77D08C8B3D70,SHA256=D3A0547908D08D957066C4DCB2B447D6FE0B70F787F0A204BC9EDBCC021B5118,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245172Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:56.534{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64735-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060601Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:59.183{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314B9FA24ADE40DCBAE0278B2283AD74,SHA256=9BCE57A3164EB20BE55D87B3293B24128BAEE6E1D2FDB062290B0C3159B316F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245174Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:25:59.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E0B06C24333108E743519270DCA92D,SHA256=F663D6B1984950D91831FC2395BFAF4AC11D461F8295BEA986E1AB2790D4F361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060603Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:00.543{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31D411444D9E563698E38A5F093A350,SHA256=7BB2EC73F43EEFE305155B719F0D5057165B044B01BC11956E14C1C6CB92DB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060602Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:00.543{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC3E05602E49AA45FD13A265D76FC3D,SHA256=16EE7D7A5F39C8A3DEB7D6FC227FECEB4FF51F2671A5295F6267FC5447A401A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245175Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:00.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CD6E1FD74C0531537AB68E2CEEE5D2,SHA256=26516CF12AFDC2BF7B6E134CF8C9BD20956C12914313ECF3D4FF7423F63A4C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060605Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:01.903{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D38D5B1D655B4BFCBE096D18478DA07,SHA256=FAD0C3E895C325A4FB34F0BB1CAC838F227DFEC65FEC9000A504B792765E2B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060604Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:25:58.067{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54747-false10.0.1.12-8000- 23542300x8000000000000000245176Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:01.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F5DB0135A3D6CA68B8E6560D9532E9,SHA256=D0ABAC58C2854E584382293ABF61A6688499A586CD9DCE01BBF28CE21A715B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245180Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:02.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2051B510E44B5E23144B62B8F1ED57,SHA256=DC4285A7B673C86DF4B19CD81FE508AB07B11AD12F678D6FC2706EBA1CB036F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245179Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:01.550{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64736-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245178Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:02.340{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7565615333660CC28C2BAD753F2E9FA3,SHA256=79ACB9848900F6750CC0414BF3B6AD6F81665B13017915E91EA6DE2805829C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245177Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:02.340{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A52A41EDD71E56A5B7D421502D40A549,SHA256=985B8510BE467019A40BDFB9FD148651644682541338341BC0FBD893C18889EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060606Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:03.262{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135866B9C33EC66AB20525F671D1F0A5,SHA256=27F07604DB6808A6A609A55EB0A8D34B6BD4A492754BFC9603B6F5A7A859FF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245181Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:03.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49D0E718CFF24FE667A194EC43B2360,SHA256=9DA356D267FEEF913C52A39EC1BCFBC2FC3BC143911D22DC85A8E20621F5330D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060607Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:04.622{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443CBDBF53DA152E21ECCED3410FACB4,SHA256=C0A13D319EB2A02BB044A6FDA14830F9375D2ACC51A1DE16BFAF6747CFC464B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245182Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:04.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8305EAD58FABB070540A151092D87741,SHA256=BA5C5AEB812475DDD506919743827029C365AF3D10DA1ED417C35CF225CFF801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060608Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:05.966{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4358CB58512EC400FFB8CE798002E12E,SHA256=95E464C96D3A6D1D4310BF5B7ADE93995E8337061657595C0BC5EC1D91A54877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245183Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:05.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964301A533DA74319C1587A01755DC32,SHA256=82BDABF8EFD14E0DCC1223FA418827FA0F352E9E2404038164D988F6CD43C440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245184Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:06.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353C309126CE5516222F5F6E08112FAB,SHA256=7D58EBB555B4B94E971858E4870F4916C10FCCEF869EE914AF438A5A084CDB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060610Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:07.325{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E2F15D518918A16189783F7D8E8CFD,SHA256=CC4810337650608371E72A64859BE953CB16443592B26FF8C548FD160887D4EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060609Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:03.958{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54748-false10.0.1.12-8000- 23542300x8000000000000000245185Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:07.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B5AD8A29D82B41B439E4770BA0D6A2,SHA256=3E3754ABD82EF51094CF5EA922ED313DBA12E6E7CD8AE05EE49F0BB3D830EE76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245189Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:07.566{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64737-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245188Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:08.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D675969C259995CE0F89A49453BF4431,SHA256=EBE2216FAD045A29A1CE414984E1943C0BF60AC098A0685EBFDCA45E77470FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245187Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:08.184{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C7656BA8BBC92A10AAD2DACE2BDF2A,SHA256=7720F4CEE880751C4FC2BD038B22CE9502F95E9F68FA3603C9B75D3117168966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245186Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:08.184{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7565615333660CC28C2BAD753F2E9FA3,SHA256=79ACB9848900F6750CC0414BF3B6AD6F81665B13017915E91EA6DE2805829C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060611Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:09.326{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E661848367B77E3CEADB4CB67C7B688F,SHA256=BA86DDA66FD95F8250B89B7E8E2D3B4DE4FF1717E7E82469F25A0BCD94E42C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245190Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:09.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65F5CF2FE211AA8F2F452F2544320BD,SHA256=41B32B031D216ED6E5B459A94EC44249C9A3979EE441F7B909861AF588F39C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245191Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:10.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95D2CA37B639B14C39550B6B3AC7458,SHA256=788FE3D50AA25272536F8E20FD69B3061BF731591391C011E860A6038488D6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060613Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:11.732{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D453245699F79C04A0C2CDA92F75976,SHA256=209C143467179F2112AE04A52CE4F19F50591E16E768E4CB761E0B9360255377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060612Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:10.998{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190309E0F3179752A34D8515559D6BA6,SHA256=B0A2D0020BD6D841A8E789708E36F31E08886706F03953796C2511C018F92155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245192Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:11.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF061A4335436C6AA9FA5357C02C0465,SHA256=AAF995F7C926C4284BA5ED9269D99599B2E33D90C2B7C8CFC449611045C8BF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060615Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:12.405{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A56DCAB500C25708EAA2E320CE6AD,SHA256=4C3BBDC5822D0C3A42DA6C1C94FEFFD17E80A10559DC5BBF06BB8CD3D5F589B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060614Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:09.083{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54749-false10.0.1.12-8000- 23542300x8000000000000000245193Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:12.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAFC863A8FA688FA39FB653D980576C,SHA256=970D1E3565541F1B2B845B841A8A758C91F140D6FA668A87CB85AABAC1288EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060616Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:13.764{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C77C47D27531DE28FAC1D7BDE828C6,SHA256=8C6003A7A888D053863DCF06E22B390FC1A5909B6F86B23E4F0A3C9DC055571E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245196Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:13.871{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90639BB247CD45D7AFC0CE71BD12B4FD,SHA256=1711DCDDCEC15E14D1DDC008653499DCAF69DAD43B140EFDC04326375F532AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245195Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:13.262{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAE606E129A6A18B5AABE9C606F85572,SHA256=4EEB2DDF4586BD1BBB3B28CD6D8B5BAFBEBB3B917187360FA5391D043EEC50E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245194Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:13.262{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C7656BA8BBC92A10AAD2DACE2BDF2A,SHA256=7720F4CEE880751C4FC2BD038B22CE9502F95E9F68FA3603C9B75D3117168966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245198Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:14.872{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57576C1182EE40E401076B7E8E3ED6D1,SHA256=BB3E40B497E67B92142A9367CC0D398CA976AED71087091E1704659CD67A5D5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245197Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:12.628{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64738-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060617Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:15.139{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFFFB3DE51DCFB99ABC4F53470B96C9,SHA256=0D1E8F3AC172708E47457671F5B6B03860FE723B8A9728512FACD62BEA239E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245199Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:15.874{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172584C3B1C382378BE01CBFCC631FAE,SHA256=FC7152DBA3E0B856A8CA031896B5B6F1E54B3EB29CFD8003E2DBF6CF646ECBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060618Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:16.499{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A2599211CC60AA85C2F9CAC12A0AB5,SHA256=47BE158D8710968E4D3178BC9B82B5666941E793F8604DAEDF3A20369FB8923E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245200Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:16.875{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E073F7563D0AD116065D1F95337CC054,SHA256=0E0C3536464F34798533C696A1E483A1CF65C75849F3F5D3CCF1B68780C24D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060619Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:17.843{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959299BD1CF1211824BB8454C04AD4D1,SHA256=3C41CF367C8D3A0B3A7C568DFA21E06493E783629493E9DB19A81A89D83F469F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245201Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:17.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC5B521D3B6962FF27FBEA511E81DAF,SHA256=C657A455F538ACD54E66ED6CF123BDB9DE2794D5CB44C1B0E20F8186B0D81DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060620Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:14.942{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54750-false10.0.1.12-8000- 23542300x8000000000000000245202Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:18.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26976D5BFB609F69F9D6415B383A3262,SHA256=FBE28736E1C973E070F5AE96EDD67EEE2E5FBFD49812CEBA646FD5B3AC9E8CDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060637Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-512B-6063-0C01-00000000AF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060636Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060635Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060634Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060633Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060632Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-512B-6063-0C01-00000000AF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060631Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.887{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-512B-6063-0C01-00000000AF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060630Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.888{7F8C56E7-512B-6063-0C01-00000000AF01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060629Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-512B-6063-0B01-00000000AF01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060628Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060627Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060626Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060625Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060624Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-512B-6063-0B01-00000000AF01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060623Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-512B-6063-0B01-00000000AF01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060622Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.217{7F8C56E7-512B-6063-0B01-00000000AF01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060621Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:19.215{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B47B59BCAD6EAC1714853A6BABF2FD,SHA256=7A02F27615FE8ED7C2F7DCAAD144CA7DB7131A6E4CD741EA84A08B375FC843CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245206Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:19.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23676B22EB0EC10306D2FA7DDB88824,SHA256=C02A0E8D5982DA63DD3BCD511341E3F1B0C79DBCCA21A62639EAB3E8E593BC74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245205Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:19.406{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27164C128CBBA3F5FA1B8B5EE5D5196F,SHA256=6FB672155F56E547E388C9F285CCAAF00A991922ED882565E3AE2E1BB7CC7251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245204Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:19.406{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAE606E129A6A18B5AABE9C606F85572,SHA256=4EEB2DDF4586BD1BBB3B28CD6D8B5BAFBEBB3B917187360FA5391D043EEC50E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245203Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:18.616{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64739-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060650Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1BB74AC574D90EEB116A53069C50E5A,SHA256=7B3E44F5C6745E5FA0173F90F2F5B7550DA1E17D75D5475E263325B22F4A7B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060649Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FC4F60C943B58E2454B1F18B99DECE,SHA256=9AE063921762178627BC78358316D5A617C953D4B101AB80974E7564EBA445D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060648Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-512C-6063-0D01-00000000AF01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060647Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060646Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060645Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060644Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060643Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-512C-6063-0D01-00000000AF01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060642Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.562{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-512C-6063-0D01-00000000AF01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060641Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.564{7F8C56E7-512C-6063-0D01-00000000AF01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001060640Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:17.830{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54751-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001060639Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:17.830{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54751-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 10341000x80000000000000001060638Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.015{7F8C56E7-512B-6063-0C01-00000000AF01}32562792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245220Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512C-6063-9C22-00000000AF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245219Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245218Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245217Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245216Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245215Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245214Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245213Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245212Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245211Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245210Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-512C-6063-9C22-00000000AF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245209Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.968{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512C-6063-9C22-00000000AF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245208Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.969{CB4067E1-512C-6063-9C22-00000000AF01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245207Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:20.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33B8162166B9225F62231C0B917D073,SHA256=20E6A1D46103A7CABC9842C7CF2DE756544F5054B219264D8D79CC12CA4E4D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060652Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:21.921{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070B4F6C9C61A2A21D68404C816AD0CE,SHA256=F44457BF312E16EEB74AC543242CEC09D81BF67B44D9BF2BE69FA06147A36369,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001060651Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:26:21.343{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72581-0x6b63e98a) 23542300x8000000000000000245235Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.922{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CC0900CE76004BE7190AA349DE1FFC,SHA256=FC65CBC142D7C4FCF9ED01F45278C9B7B2112A6F0F7DB13122B7008793524330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245234Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512D-6063-9D22-00000000AF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245233Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245232Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245231Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245230Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245229Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245228Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245227Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245226Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245225Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245224Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-512D-6063-9D22-00000000AF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245223Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.640{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512D-6063-9D22-00000000AF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245222Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.641{CB4067E1-512D-6063-9D22-00000000AF01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245221Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:21.078{CB4067E1-512C-6063-9C22-00000000AF01}35523644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060653Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:22.609{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF644A822F5882C3FAC5547905E6269,SHA256=3C39E839B66D51FAE367D04B7BFFEF1E1380FE5872AC6A99AAED37B905CF5679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245263Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512E-6063-9F22-00000000AF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245262Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245261Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245260Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245259Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245258Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245257Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245256Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245255Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245254Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245253Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-512E-6063-9F22-00000000AF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245252Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512E-6063-9F22-00000000AF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245251Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.953{CB4067E1-512E-6063-9F22-00000000AF01}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245250Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.406{CB4067E1-512E-6063-9E22-00000000AF01}33121440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245249Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512E-6063-9E22-00000000AF01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245248Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245247Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245246Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245245Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245244Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245243Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245242Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245241Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245240Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245239Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-512E-6063-9E22-00000000AF01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245238Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.281{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512E-6063-9E22-00000000AF01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245237Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.282{CB4067E1-512E-6063-9E22-00000000AF01}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245236Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:22.187{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27164C128CBBA3F5FA1B8B5EE5D5196F,SHA256=6FB672155F56E547E388C9F285CCAAF00A991922ED882565E3AE2E1BB7CC7251,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060654Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:20.067{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54752-false10.0.1.12-8000- 10341000x8000000000000000245280Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.734{CB4067E1-512F-6063-A022-00000000AF01}6362764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245279Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-512F-6063-A022-00000000AF01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245278Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245277Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245276Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245275Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245274Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245273Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245272Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245271Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245270Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245269Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-512F-6063-A022-00000000AF01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245268Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-512F-6063-A022-00000000AF01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245267Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.625{CB4067E1-512F-6063-A022-00000000AF01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245266Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.422{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72EBB899B29F1D6C9228EB18794F7A7,SHA256=8729A06934E4D2EA0E0BF12F7D651B19F34D59566AF4C97E30ACC60C19DB8611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245265Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.422{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=056A0182B416C3FA7755037656C8141A,SHA256=2A3C62E9898A5F1EBC1CC4922C0932F09F45A5DED07CCB1E8C9317D099DB3961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245264Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.062{CB4067E1-512E-6063-9F22-00000000AF01}27283708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060673Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.844{7F8C56E7-5130-6063-0F01-00000000AF01}56164640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060672Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5130-6063-0F01-00000000AF01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060671Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060670Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060669Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060668Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060667Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5130-6063-0F01-00000000AF01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060666Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.703{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5130-6063-0F01-00000000AF01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060665Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.705{7F8C56E7-5130-6063-0F01-00000000AF01}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060664Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.125{7F8C56E7-5130-6063-0E01-00000000AF01}56322548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060663Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5130-6063-0E01-00000000AF01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060662Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060661Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060660Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A832EC3938B843DB82F3F8FBC70BD25,SHA256=84D4D415C185728C021F91BF567F7318B9B06174FEFD7956EA617BBAC7C2B1AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060659Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060658Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060657Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E3A-6063-0500-00000000AF01}412428C:\Windows\system32\csrss.exe{7F8C56E7-5130-6063-0E01-00000000AF01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060656Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.000{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5130-6063-0E01-00000000AF01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060655Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:24.001{7F8C56E7-5130-6063-0E01-00000000AF01}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245307Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5130-6063-A222-00000000AF01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245306Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245305Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245304Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245303Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245302Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245301Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245300Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245299Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245298Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245297Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-5130-6063-A222-00000000AF01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245296Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.968{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5130-6063-A222-00000000AF01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245295Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.969{CB4067E1-5130-6063-A222-00000000AF01}816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000245294Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:23.632{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64740-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000245293Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5130-6063-A122-00000000AF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245292Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245291Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245290Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245289Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245288Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245287Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245286Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245285Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245284Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245283Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-5130-6063-A122-00000000AF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245282Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5130-6063-A122-00000000AF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245281Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:24.297{CB4067E1-5130-6063-A122-00000000AF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060683Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.500{7F8C56E7-5131-6063-1001-00000000AF01}26283960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060682Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E19731F97DC8E46BD0F019E9ED88B6,SHA256=3CED9F5FC010540B778888135436227728E1E76EDDB35314A766C3759C3E5D76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060681Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5131-6063-1001-00000000AF01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060680Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060679Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060678Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060677Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060676Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5131-6063-1001-00000000AF01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060675Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.375{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5131-6063-1001-00000000AF01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060674Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.377{7F8C56E7-5131-6063-1001-00000000AF01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245310Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:25.984{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBAD103596D1C592846BBE77B968B74,SHA256=937237FDAA165FF15B59096EDD420AB66EB2ADA292A2A98D226BD7C61C9B36D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245309Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:25.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FF688D79663A6CE8AA618F1072B208,SHA256=7D6AAEFF0F580F8E2EEA29D748D75622BEEF8A73390DDCD5E4FB47DD2F8D3724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245308Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:25.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DE1615E07B556C483D0C6CAB47C6FE3,SHA256=852151088F64FE386D704DB4B31C7C9ED28293091E5F7C58D00820D79A000661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060692Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.735{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279F22E3023EA35C220B95B3DD3425AE,SHA256=35C7EFF591B9DF46CB45FD93010A71C362CFC663BDED4A5EC94F1CAC8F200EB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060691Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5132-6063-1101-00000000AF01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060690Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060689Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060688Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060687Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060686Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5132-6063-1101-00000000AF01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060685Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.063{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5132-6063-1101-00000000AF01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060684Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:26.065{7F8C56E7-5132-6063-1101-00000000AF01}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245312Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:26.984{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9B8B1766BE9ADD9B1043F082888D0B,SHA256=12628B1C4A74C3720E2C4F605ECE1455657410858E3AA0198F42E30F7CE92D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245311Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:26.203{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85411FAE2DB7BE016DE22C46CC00A96,SHA256=BCBD0226FA1326BEE1D554BA3C4BA0CD8F7AE53095969E56CD06EEF1C8577DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245313Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:27.984{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8936909B8E09894C0980EB2891DC9299,SHA256=E2642CAB180B1781227A5D2981AFA5AEE75A51186656ECC6A586F1AA71672E6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060694Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:25.958{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54753-false10.0.1.12-8000- 23542300x80000000000000001060693Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:28.141{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8E3D6ADC62039EF0BA588667DFFE3F,SHA256=22D892D699A0E7A36C08A04CE25BCED8F674DF72E6B79E3986687DA60924F07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060696Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:29.516{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B4ACF1F7AB548703C58AA8EAD88C0B3,SHA256=049572726BAB5D356C0A1C1D76DB30248797D1E2CBB0A4773F39F37D186DF3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060695Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:29.516{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F203607C463088FE4E70CA0E6685317,SHA256=425D3F7727EF8349EF32A1F9423D9348BBB347F5BEBDC083D3729CE171F8F888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245314Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:29.031{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5255385D9243DA634F67B41A9944CD7E,SHA256=2213E830FA707C8389A6BAC4FE36B29E22E7FE1D1C8FB6677FAFD8A77A3FDC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060697Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:30.876{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50D227251D36695F8733120C1B9E1F3,SHA256=325B00004376777905C361A26E446D83A67D31B7938B8111C26E0E4CE69255C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245317Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:29.632{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245316Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:30.281{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E04CE9D67B80B58E9018264831050C48,SHA256=0052C2619566EEE883DFDF1C076A47A75F51E059CB4142CEA551C878BCC8B16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245315Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:30.047{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB355B8E9BB3AA40E0F892F8578483F8,SHA256=5D97018ABDB7021D558B3E300FD31832D4CC44CD90F47CF97CA1C093D7494ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245318Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:31.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB7A4F586EBF2F310464D803D78F71B,SHA256=45EAB5724A4B88DB237EE50FD7905DBC669A233B81531796AA9C2F9D882CE106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060698Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:32.235{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB33D41733F1FD65FEF5143975D5A81C,SHA256=A0CABC5972A3CAD8EDF15C6243AC306ADFE844FA9806F6E0CE0E28CE414797A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245319Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:32.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1430FB16471E3C2B3A89FE0428DCB51,SHA256=8BAC7AAF046C58EAE282A3551CBADE5E3474A6046F8D36EEE773BFFCDCDF9F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060699Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:33.595{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622364644990D63AAFADC3854A6493B6,SHA256=39C489C6595EEF969B85FC7261B8B4E43422C968CAD146292C0A6BFB9554BFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245320Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:33.062{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D2B42476667B2659FE4504D11689BE,SHA256=08A8555924CA4A91C23576D92D327DA70F8CC4CBFC0305AA5D80EB5FDE5A25AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060701Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:34.955{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0688FAE0533E0F6B5C5E76CACAEFBE,SHA256=4FD99A0BD04E550A5BDE5ED6E78C7F874749B44BF5FA936FBD0949025B922BC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060700Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:31.958{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54754-false10.0.1.12-8000- 23542300x8000000000000000245321Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:34.093{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C93D2561A3CE0D3FC14098BA0BDE3C,SHA256=CC632BBAF3A388396DAB8362049EA758A14E53AA0A730DF8A8546FBFF73FBF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245322Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:35.093{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B287EE595AAB721F52C8F6C98EC3DBFB,SHA256=017699F6769D78CE606B745F87BAB37F39EE45400909450D94C0C08C3A03E2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060702Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:36.314{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC65D948D1B7F4E2BF2C89628FBD5F4A,SHA256=22D9A5D54AA32527DDA286482057EF4BC87602F0C78DA165C298035F5C0955F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245326Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:35.648{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245325Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:36.359{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C759FA9235C098DDBDB646F80923455,SHA256=4D91E149A1763200605971283D1F0988F493E813B1DE67634F9376A9A2B8DEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245324Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:36.359{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B84D3E9640B720A2867177B96C30E3A2,SHA256=2AB98DD9CD73635A32F149044EC4AADCE7BB7EB805A467745E139037A9734155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245323Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:36.109{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9ED3667C34723B6368AF4780F833C18,SHA256=1056037615E06A1E605C46FC61E1799D8560F227D2B87236FEEDFEB6019A9E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060703Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:37.674{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E73A44A1C0A2239B3A32E62209E4864,SHA256=7BCAFD4560FE58B3858F562134DBD92982F81BB6D5DD15D2E1FBDB66E3B7D87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245327Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:37.140{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92BD908948A5DAC31174C66B9D4FB72,SHA256=93146808D991C1DC4427E3D1F7C36797F5FF529EA311CC4DCF6538D68E7B52F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245328Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:38.187{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808B287FEE7789F449B14F07EFC99B64,SHA256=E4BF3EE29787400256188ADE3CE83BCA2DDC37C793F2A27F6E97E5BF26EA0C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060704Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:37.083{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54755-false10.0.1.12-8000- 23542300x8000000000000000245329Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:39.218{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F4A40F60DCE54FA6BDBF86D8121553,SHA256=B5430A6510526B31D08623ECF64891F0A1BB27F43DE8863FCFCF365EF312082C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060706Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:40.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFA4D64D95247174A7CB283C3F0800D,SHA256=FB03D3CA5968C36776F783C8804F2BD3AE7357E7B37F58A4F6359E5F1D811C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060705Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:40.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0771C220683227657316D5EE0D4E1065,SHA256=87BE16DCFB946A9C3AEEF06A0C3595F5562115643D130A43491BBA7712CE3620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245330Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:40.250{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198650EA49D55B9333BE23753E5E0DBC,SHA256=EF8BEA2DB43FC511D8A2116F3BED101F4555928CDFD7288B7E3FA49456E825F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060707Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:41.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D1D5D26B6E4196F2CB34ED21AFB4E4,SHA256=54EE66E9B1D54878A4ACE43F9BFDD8079A9FBD656FE6DD1E26CC787B10290124,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245333Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:40.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245332Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:41.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C759FA9235C098DDBDB646F80923455,SHA256=4D91E149A1763200605971283D1F0988F493E813B1DE67634F9376A9A2B8DEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245331Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:41.265{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C899E87C3BBB0A99F07146BB95CF8BD2,SHA256=2C2878EF78E8CE8D8C718481129524F4CE1B5C60535F05EDF41A230169B51B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060708Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:42.362{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5ADA170D0F40002003342FB587A22E,SHA256=8997CEBD7066245A732282B53662BB05E06E474E8E7D923DC119A1DA0609486F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245334Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:42.265{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63403DBD4F9FF2F7D1FC40D9F86E716,SHA256=354E984E27E16419A9BF85EB7F6A1534417109B0A6C7DC233C83D40056CD83DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060709Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:43.456{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29D1347FAAD8F5AA5874F32391901EE,SHA256=3AF86AD8342B92A0B0A94324D82493019E63A2DEE8A6130991FD2FA0B7223E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245335Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:43.265{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6621CA321856BE69EDC0179A961A4A2,SHA256=E6C2DCBF87A1D94C9D1267D4062662587E5155FFC10BB8B68CDDE3741EFCCBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060710Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:44.815{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75615F6F06AD995F39CA0EE7C1D566A,SHA256=8C8FBE49DF833E06FA892CDAD0CAF6626A07B98FD688B600E313F888102E5BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245336Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:44.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1882C69F07CCB35E577D4066DACB4ED,SHA256=E03CF3E4A54F9D2BE382384084738153F228ABEF582C44E6011C4436477D7426,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060711Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:43.005{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54756-false10.0.1.12-8000- 23542300x8000000000000000245337Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:45.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02677E8EFC436A78567CA482A0E4623C,SHA256=07F2BC34EEB56A950F5635575DEB72C77A6A4A437CAEA95D7DAE475A6CE1F0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060712Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:46.190{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB82F07F26DC1E9BFA088632A1C5AB7,SHA256=7FA17B63E8E50D64C386F51832CD5DD06A15452BF554B9E0B90841243B6A38B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245341Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:45.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245340Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:46.468{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B7E06BD35BFBC53DE6B92479B06B1F,SHA256=685D23CFCF1E799676CE17BFE13C0DBC5CA5E6018EA5B503FA505CB00EC1D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245339Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:46.468{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB31F6A236538677A102F2295E2B659E,SHA256=A381041BD5A5B3ECE01F42DFB1AB77FC0F4142600B3AE7DE48C7D1C332B7935F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245338Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:46.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF59F6EEA6848CC6BED3D7704F67F292,SHA256=02E5DCAD76D36C30185B1951821C1FCC5C613366B7879EBC02129D7C5EA67697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060713Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:47.550{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F257C1757ED32F951CE5711C7FD872,SHA256=8EA02243AB470F34D1B365CFB653E1F250CEB4824EA5FB4FB4B01108FE329EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245342Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:47.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF677E74A0D24C2EDB4FE184D6FD4BB,SHA256=C4F22A2FC224D64B6AD9F67BA08D24977B2C6AF1056B7D369B4F3DCC070F67EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060714Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:48.925{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21917C89D76361F26708DF03B73BF26C,SHA256=6FFF6D10061675C477607758FFA81AA0DEFDAB18E7D4D670F353BAD7410BDEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245343Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:48.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475EEBC71760D95DBDB9DA8AA629CEFB,SHA256=D0B4BF7262651A67270D91152CC6555BAC4717BDDF9C178F841F455D368FF63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060715Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:49.597{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42F409AF779C0CE35ECFE8655E51FC6B,SHA256=C7E2496E02BBA3CB46376B117D475995FB0A2FD5F14E02EB20AF62EF93BFD151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245344Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:49.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0B305E0694B1387B39ECF49C2E79E0,SHA256=F7FAE3AA4A1DF5389C81B06A59DA2FA1173C63FAA9D56AA4B3052FF16F313D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060717Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:50.285{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E90A370CE42322E5E854FD9174FD75,SHA256=9ABA9AA88125703B4B2C8BC87AF8A8FDDD6B4B65820C29C9A0896139E783A5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060716Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:50.191{7F8C56E7-4E3C-6063-1100-00000000AF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DDA888877685DDBB0A0FE7390D6148E0,SHA256=51B2EA218D07FADA78A669B8A1A0652622713C7C45E4C3DF1217CCA1F860DB99,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000245355Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000245354Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0468f761) 13241300x8000000000000000245353Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d72579-0x1b8e7fda) 13241300x8000000000000000245352Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72581-0x7d52e7da) 13241300x8000000000000000245351Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d72589-0xdf174fda) 13241300x8000000000000000245350Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000245349Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0468f761) 13241300x8000000000000000245348Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d72579-0x1b8e7fda) 13241300x8000000000000000245347Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d72581-0x7d52e7da) 13241300x8000000000000000245346Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-SetValue2021-03-30 16:26:50.812{CB4067E1-304A-6062-0B00-00000000AF01}608C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d72589-0xdf174fda) 23542300x8000000000000000245345Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:50.343{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3013AF517DDF84A3413079C60FC4832E,SHA256=20BAF7AF96557B54BB8B18EFA32A4852E5127B32022DCEAB9FB5133BBB832CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060721Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:48.864{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54757-false10.0.1.12-8000- 23542300x80000000000000001060720Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:51.644{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB703B25F721233BC858FB7581B7C75,SHA256=1841CADC8E7A3146A15181C39A25AE246F89F031397C637CCACC996FE3BD3E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060719Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:51.613{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1600-00000000AF01}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060718Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:51.035{7F8C56E7-4E4C-6063-3300-00000000AF01}2364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245356Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:51.375{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4530C820E8A118707D6B685825F31414,SHA256=28778BFB2A24D4F583DD4D55AA3098BC2D60006C80352E64BBEA750960B15C10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060722Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:49.864{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54758-false10.0.1.12-8089- 23542300x8000000000000000245360Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:52.656{CB4067E1-304B-6062-1200-00000000AF01}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B1F4FDA2839AA6372D77ED3B4038A4E7,SHA256=9ECD9E7E5F131BBEEF474CD1518AFE02828613BFB4BD22DD5B0671687A3BFC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245359Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:52.422{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAC32A8DCEDE57EC77D22E84712F76E,SHA256=274EC97BE7E4DAAC05DB51B1F090E69AAA0C433D384FF71F6B89B5D9CB1215D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245358Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:52.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E347FEFFCA741DBED49D9335478ED97,SHA256=2BADBBDEED0AA9BAC8F0E113DEEA14367AFD3E9BE319B3D5B5ED8B9E19DD2FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245357Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:52.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B7E06BD35BFBC53DE6B92479B06B1F,SHA256=685D23CFCF1E799676CE17BFE13C0DBC5CA5E6018EA5B503FA505CB00EC1D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060723Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:53.004{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE9278D5A3C16841DAF0326D5E96EB6,SHA256=E547153A08080952CFF7267123D857DF23B7D5470D065998F45078813B55241C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245363Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:53.953{CB4067E1-30AF-6062-9800-00000000AF01}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9EB0706C587F50BBEE1233E6456AA7E,SHA256=500015F71F0118682B52F400F5B38916EBFAA2D1986DD68D3505915C1D0CDED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245362Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:53.453{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E53289851B333696F97BA72B465A7E,SHA256=4242A2952F50355EC8967209DFA1A06E88ECE080CFE9F72AEE30E4D976497B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245361Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:51.476{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060724Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:54.363{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF0C99D7B57C60AA4F0FA2DD80E8ABE,SHA256=48DCBF04BEB7FE77245A8E5E72A29F69C0B424605C9A7744A39FDBCD0536B395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245365Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:54.937{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E347FEFFCA741DBED49D9335478ED97,SHA256=2BADBBDEED0AA9BAC8F0E113DEEA14367AFD3E9BE319B3D5B5ED8B9E19DD2FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245364Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:54.500{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDFB6C7E471D890C3D6F26F0C39702B,SHA256=C4B66223FE274563EA8F7D1EBC3D05882433EAE6843E038DA1D120E6E7050320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060725Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:55.739{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2261437D48491F98C5C5F1C94F6D467,SHA256=E8406C6507A92E2A015CF9004F2F18A3AC0912210678F43F8C0688D2246BB74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245366Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:55.547{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBD49C1C9D6DD2AC5E7BE3D37B8FCD3,SHA256=B6DBCFE05DFF6278FE6B036CD5A9E6A3FCF2A0FD4C267EE39BF12A5114D6B11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060726Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:54.068{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54759-false10.0.1.12-8000- 23542300x8000000000000000245368Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:56.547{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D274E9B8540D45B2065AA13C972CA3EE,SHA256=B23D2624AC931D9A1B81DEC772FE2BD0F12BCAF502ED4C6B5CB452F8387484BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245367Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:54.367{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000001060727Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:57.098{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B9F2E2E1D9EE4069D7AEE7F235418A,SHA256=09CF8A986FF71EE99A34C46B5CB4FBF34C4A186A06964122BB9D9E59B308A02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245369Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:57.562{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70B7D87116B0860C9ABA879EB925410,SHA256=D0C7719E21671574113B9E5662D6F242DE85C680DAF2027736DC5101CB234CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060729Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:58.458{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7670974B667CE30D216317E9CFF069CC,SHA256=DA97CED533A94F392637F1A967678DF2505E239DCCB8998D3FFE937EDFF12F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060728Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:58.458{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE0AD2E291EF6428FB62F2EE54ABAB1,SHA256=880BA967A76B39F30CEB941109E3E4E6C6CA31532DDCAED0C9DD395D5D3C4C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245371Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:58.562{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2941CB977BE73580ED52E25319D5D8FF,SHA256=797ED6CB8AFD5FF2619FC4AC7F5234EC4FF7A77CA14F5CD16FA2F208245A824F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245370Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:58.172{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF66B4A915AEAE02E4517DEBD8AD564A,SHA256=63898C6893075D16844F700370BD0FD02F2904DB774753B742A41324D835D740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060730Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:59.817{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D54301300F459B5A5B28C1F24F7A66,SHA256=6E4B290B01A46F179A42B652075877FCAFA3CBAD72E7787D87F0EAFBEA2D5074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245373Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:59.578{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A842602493CF507E202F7CDEAD7E5D,SHA256=37C97364B6C119249D2C7567CD260963BA3B01BA93E6B60F9C5944310898CC10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245372Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:26:57.445{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245374Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:00.594{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28803C91AE2DC2AB5BC70D759A4AF6C,SHA256=A858078F7972BFF51807501E4041B6516E38DDF22A7CBE5642191EBBD834CE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060731Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:01.177{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53625179C658710DF0834A2F2FBB2722,SHA256=589C7A2CF8422256982839B7D9B4F0E5EF7DE1D51C00CD59012741B9DE070D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245375Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:01.625{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C07BCBC53F9758B532AD1AEAC364E6,SHA256=9BA3524AEE27D0DFA797F4BAB0C467501F9121414F8129AF05D083822E55C097,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060733Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:26:59.927{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54760-false10.0.1.12-8000- 23542300x80000000000000001060732Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:02.536{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C0EB77BD042A219CAF7FFFA7754A33,SHA256=19852F806D9F2A5CF3CFFFED3AF908D013234C7E33B2B3F478A18DE770E76D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245376Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:02.640{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F572885A2BD8B2D23D022100D40864A4,SHA256=8050E9571464A3EF3DDE5C571DC8628B5B84BBBF0A0FCE7C0A0F6CDA70D5C0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060734Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:03.912{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2058C0054124FA378AF8D2EB4CD825,SHA256=6A432B134F365D86112350DEB14A682CE05C8BDAE511C956BBAB9DE62C46B0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245379Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:03.656{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706D40E1FA021F2E281FA3E0D9D0A659,SHA256=04B573FD597F7C964E9E7203E90C8F7DC0C7B645FD656D56B787C0CF743139DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245378Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:03.469{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6302926DAFE0F033DEF1A22C58077A5,SHA256=DC17C88256768757EC7A0BDDAAA44F9AA383F8429B4EA2D0B9F47B92A0F5C328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245377Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:03.469{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AF93D9256175D9B546B5CF79CDEF5B,SHA256=75F4F81F1968F185C78FCB761D186061EBB56BB12054211145F5639E1EFF4A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245380Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:04.687{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8D5F2C512CECC366B448735B29FB4C,SHA256=EF95D1E6680294D99A509BB4DBA63FEEF53627E5ACCD2712854326FA946316E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060735Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:05.271{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC059D398B54BC78D6FDC1D60625B1F,SHA256=E16DF99322DCB93D1F2BBD74ED7A62F1FB329BD12D9B201CDA4BDDC6B810DC3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245382Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:05.750{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1307AEEA5AD90CDCDC9E8444117B3A1,SHA256=42ABF2C277ED669CA11B126427D357BF7FBF8878B4CA5FAA0ABF428DDE494394,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245381Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:02.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64748-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060736Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:06.631{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE027DA7C9A224E78A984822F052FB2D,SHA256=0B63802C51016744CEEED19C81EA3FB74E5B58D0C870BD18924ADA05AFFB494A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245383Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:06.765{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD514EB60F34D5E781137B52030FB0D9,SHA256=C610E32A6A9F8E5A1299B1700117B852D99051AB64667DC7FA78762595B0F089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060739Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:07.990{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2DEE31992766A71C3FEAE04F522CA8,SHA256=4438AA0072491BE931CD79BF94538F834B670D1F77134985C9C75D1A3F679822,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060738Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:05.036{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54761-false10.0.1.12-8000- 23542300x80000000000000001060737Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:07.303{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6E5A037CD59612D24AF5E8E2892C69D,SHA256=A869A97D702EF62B4AA4CEFC4A20DC09E3FDACAF33B29A0A2D5420836CFA7D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245384Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:07.765{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610C032CFCEF918D15DD29E95EF3E9B3,SHA256=8F38B4C7101D7E8C990F1BDFA01369F98D60C15125A79F35D6959EA7273D279D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245386Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:08.765{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192076826F5CB8418B43E495C4800B2C,SHA256=1B3B88086105109D0BE74475517E7ED8D48653172F2E7284E43239E33321A7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245385Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:08.250{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6302926DAFE0F033DEF1A22C58077A5,SHA256=DC17C88256768757EC7A0BDDAAA44F9AA383F8429B4EA2D0B9F47B92A0F5C328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060740Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:09.350{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9EE6CA3C151C2D600C7CD12C5B1975,SHA256=D2CDF70A6DC867748268195799785F673D0092483DF7BD30CCE86D1F04EDE5A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245388Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:09.797{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60D489CAEF4E62221152747B3CD8CF7,SHA256=B4DDB0FF018A13EF01CE2F95D36AC480AFCA6A354984C7F3FC59907753484FA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245387Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:07.664{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001060741Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:10.334{7F8C56E7-4E3C-6063-0D00-00000000AF01}8924808C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2E00-00000000AF01}2196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245389Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:10.797{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA25971161D5C80E0C5C77D9251F01C1,SHA256=E1858A823DF9EFC9D24204246B97FF4D03EBCF8418AE140577B9F8751C5F0D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060742Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:11.350{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D6E549B90049355B9F12B5C877B02D,SHA256=EACA78F8EAA690DBDA62506B44D7D549204BA915ADE65DBC4954B489D6D481D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245390Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:11.812{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EA606A11E0FE110F598E6738AED195,SHA256=7F788990A45319E643AE629EC7EFE8DDB9CA29BDEDCF1B65E605728AC080ED72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060774Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060773Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060772Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060771Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060770Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060769Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060768Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E68-6063-8F00-00000000AF01}3764C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060767Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060766Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060765Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060764Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060763Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060762Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060761Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060760Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060759Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060758Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060757Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060756Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060755Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060754Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E66-6063-8C00-00000000AF01}4964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060753Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060752Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060751Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060750Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060749Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060748Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060747Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060746Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060745Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060744Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.616{7F8C56E7-4E3C-6063-0D00-00000000AF01}892912C:\Windows\system32\svchost.exe{7F8C56E7-4E69-6063-9100-00000000AF01}4772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060743Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:12.350{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240440B304D8FF51A570A924E20CF058,SHA256=F2AA9E08BB48508BE54DCB4A07C4039BEAFB82854C626DBC9B8D1F37BFE03452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245391Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:12.812{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA328EF3D1DE70C21173C1412A51C560,SHA256=F96C6F2D982D7B0578A002124A2EB4A81C44AA757CD42A6A64E7E20B9513AFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060776Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:13.726{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A1019F4EF1A409940D1E278183823F,SHA256=2837BA59184D243B353EF3E09DDE6751838DB6B8D546C1D468F9114DF35CAC9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060775Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:10.960{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54762-false10.0.1.12-8000- 23542300x8000000000000000245392Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:13.828{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2D6B727B6D6F6DDBBA7CAF21CB28E3,SHA256=401F7400464BBEF345F9131248AE2DA494D50AE937A799AE9F578A46471D8712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245396Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:14.828{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4569EA5582CBE73F5A6ECE52BAC30C3D,SHA256=6F585244168DD8BE6DE87E105DCDA341B71734C10198433CDBDEC71CBA79D6E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245395Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:13.461{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245394Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:14.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C569F6F2E44871BF80C69FE94F0FE0F0,SHA256=FFB07315094A2EAB7381A2E6F488ABAD7AB318CCF46E15A8A661A16688A21856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245393Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:14.078{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F82B95994E12E8472F6B978804928A4,SHA256=9EE8FC6D02894118842DB505029BE2B76EE08E41F9BC81FC986A7917BCF87669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060777Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:15.101{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8C00BCD93A28DBDEE2235A98D50ABF,SHA256=00A63C77C02D55C92AF9D30BA3717FC5D75B736B6DCDF52D7D3AC53B9FAB829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245397Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:15.829{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E0EE54BC3F03685384328D71CCD95,SHA256=D28F4EA28562044CE9C7650B39796A8DB1808C155A0894F3332A5CB07DB815DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060778Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:16.507{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3156036EA2E643241A19EB8ED38125B8,SHA256=1BC3221E858BAA89162FDCA64BC687FAC59EE36ED86143B059E5046B007A7E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245398Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:16.842{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B166D7664C1FAF20CC78E05C3D0046,SHA256=B8D93C778D2C95E2AE05DD0FAA7D4F500BC72EFAC9E1B426AAD840CF9D9E109A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060779Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:17.867{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB369B06E19706482504C9BAFE2EF15B,SHA256=A5774052C23CCF1CB3227372652547117732DE65AE5D679614C974630A84259D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245399Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:17.843{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF61BD2505EC497E480513E33A6757F1,SHA256=9AE06A11FDA4BE6B5261DCCDF8DEB00487A7339560453965331EE3288C47BF6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060789Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:16.084{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54763-false10.0.1.12-8000- 10341000x80000000000000001060788Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5166-6063-1201-00000000AF01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060787Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060786Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060785Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060784Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060783Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-5166-6063-1201-00000000AF01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060782Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5166-6063-1201-00000000AF01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060781Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.559{7F8C56E7-5166-6063-1201-00000000AF01}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060780Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:18.554{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48054C8309F17545CBFFAB6F937C9300,SHA256=E4AB71F7C12AE5EF6CA8A48483BB41D43BD7C6841D2F6207407AD8E323033934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245400Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:18.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4876F67C3FA9B740F250A2F3450A0217,SHA256=D5C1B10834DE45A1A89DCE69B850519F3822FB7ED3EB5A490D5258F14DA97B2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060798Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5167-6063-1301-00000000AF01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060797Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060796Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060795Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060794Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060793Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-5167-6063-1301-00000000AF01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060792Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.933{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5167-6063-1301-00000000AF01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060791Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.935{7F8C56E7-5167-6063-1301-00000000AF01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060790Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:19.227{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F91E419983CF58DDF8E75CE7BA388DF,SHA256=6E44BA63462E24F50274DFD4B9B8D9C28883F72100AE18B32FCF6043A040A431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245403Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:19.906{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B881A8F6EFFF552A9A8989B9FB0E835C,SHA256=A9C9D66D3C0216B3A25F11D2E04567B34314853CE03B103AE92CE5EC8ED3BB2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245402Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:18.476{CB4067E1-30B6-6062-C600-00000000AF01}1460C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-847.attackrange.local64751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000245401Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:19.046{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C569F6F2E44871BF80C69FE94F0FE0F0,SHA256=FFB07315094A2EAB7381A2E6F488ABAD7AB318CCF46E15A8A661A16688A21856,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001060810Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:17.835{7F8C56E7-4E3B-6063-0B00-00000000AF01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54764-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 354300x80000000000000001060809Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:17.835{7F8C56E7-4E4C-6063-2F00-00000000AF01}988C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-877.attackrange.local54764-true0:0:0:0:0:0:0:1win-dc-877.attackrange.local389ldap 10341000x80000000000000001060808Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-5168-6063-1401-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060807Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060806Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060805Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060804Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060803Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-5168-6063-1401-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060802Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-5168-6063-1401-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060801Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.623{7F8C56E7-5168-6063-1401-00000000AF01}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001060800Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.620{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0516647A1B4733146B3075C2BE6B32,SHA256=BB2A1F15340D71554C6555B78FC0D15252FA78A44174C7CD76387674AB5705E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060799Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:20.074{7F8C56E7-5167-6063-1301-00000000AF01}49724400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245417Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5168-6063-A322-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245416Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245415Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245414Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245413Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245412Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245411Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245410Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245409Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245408Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245407Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5168-6063-A322-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245406Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.968{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5168-6063-A322-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245405Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.969{CB4067E1-5168-6063-A322-00000000AF01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245404Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:20.906{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962C4E8BFBB20A0AC00E84BDAD329A86,SHA256=6B520607B50B5235594EF04FEDCCF812ACD7247ACA95DDFE967F3712362D20AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060811Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:21.983{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33B2D5CD4AD4FC8BD9CFA161CEF0CB3,SHA256=E18F5624A2623E122FFD6569D0089DC2948847D555E6DDC0028BE1D05780751B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245430Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-5169-6063-A422-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245429Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245428Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245427Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245426Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245425Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245424Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245423Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245422Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245421Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245420Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-5169-6063-A422-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245419Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.640{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-5169-6063-A422-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245418Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:21.641{CB4067E1-5169-6063-A422-00000000AF01}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245459Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516A-6063-A622-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245458Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245457Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245456Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245455Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245454Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245453Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245452Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245451Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245450Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245449Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-304A-6062-0500-00000000AF01}392936C:\Windows\system32\csrss.exe{CB4067E1-516A-6063-A622-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245448Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516A-6063-A622-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245447Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.984{CB4067E1-516A-6063-A622-00000000AF01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245446Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.437{CB4067E1-516A-6063-A522-00000000AF01}3241504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x8000000000000000245445Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=701AE9C3DD3955BD51D6A15C533D4205,SHA256=DFEA6BAA90A5B8352E41AA2596954BF4EDB36414672C876B93C0A5757234142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245444Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516A-6063-A522-00000000AF01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245443Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245442Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245441Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245440Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245439Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245438Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245437Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245436Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245435Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245434Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-516A-6063-A522-00000000AF01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245433Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516A-6063-A522-00000000AF01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245432Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.313{CB4067E1-516A-6063-A522-00000000AF01}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245431Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:22.312{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8AEB49A5AC3E0775448B19ACB57297,SHA256=FADF37F44E3CB9A047CD4A84E58F9F602D191B0C329288ADD7EEF45639B0A034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060812Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:23.342{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCDDBA13A8A16BDAD214D4BEEF26440,SHA256=B9AA227978A0570AEB2A9AFD87B75A4BC51672300E928311BDB6EF4A8D45C5ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245476Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.765{CB4067E1-516B-6063-A722-00000000AF01}34523240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245475Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516B-6063-A722-00000000AF01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245474Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245473Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245472Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245471Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245470Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245469Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245468Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245467Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245466Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245465Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-516B-6063-A722-00000000AF01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245464Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516B-6063-A722-00000000AF01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245463Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.656{CB4067E1-516B-6063-A722-00000000AF01}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245462Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.453{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465F08DF6365AB7D720653704F457A8B,SHA256=A114A5C846A68CC612176252CE44642D185B9366ED168134D09D84C51B37FFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245461Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.328{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56325FAFED600D074AF299FC31829825,SHA256=5F5EF03D74DEDB195736BFF3BAE314D1F39BB991573473CD92AA261BCC03BC24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245460Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:23.093{CB4067E1-516A-6063-A622-00000000AF01}10922792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 354300x80000000000000001060833Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:22.027{7F8C56E7-4E56-6063-7600-00000000AF01}3780C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-877.attackrange.local54765-false10.0.1.12-8000- 10341000x80000000000000001060832Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.858{7F8C56E7-516C-6063-1601-00000000AF01}31522532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 23542300x80000000000000001060831Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E5D-6063-7F00-00000000AF01}3584NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37832D621D93402DCA9E7B0542A87239,SHA256=39EB622693FEDA6B3484B7C3F17E1226AEA2C50C0CEC9116979C26A4F7AE248B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060830Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-516C-6063-1601-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060829Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060828Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060827Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060826Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060825Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-516C-6063-1601-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060824Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.718{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-516C-6063-1601-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060823Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.719{7F8C56E7-516C-6063-1601-00000000AF01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001060822Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-SetValue2021-03-30 16:27:24.452{7F8C56E7-4E3C-6063-1000-00000000AF01}100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d72581-0x910189a1) 10341000x80000000000000001060821Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.155{7F8C56E7-516C-6063-1501-00000000AF01}56004596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060820Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-516C-6063-1501-00000000AF01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060819Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060818Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060817Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060816Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060815Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E3A-6063-0500-00000000AF01}4121572C:\Windows\system32\csrss.exe{7F8C56E7-516C-6063-1501-00000000AF01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060814Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.030{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-516C-6063-1501-00000000AF01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x80000000000000001060813Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:24.031{7F8C56E7-516C-6063-1501-00000000AF01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F8C56E7-4E3B-6063-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245505Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516C-6063-A922-00000000AF01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245504Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245503Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245502Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245501Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245500Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245499Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245498Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245497Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245496Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245495Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-304A-6062-0500-00000000AF01}392508C:\Windows\system32\csrss.exe{CB4067E1-516C-6063-A922-00000000AF01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245494Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516C-6063-A922-00000000AF01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245493Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.953{CB4067E1-516C-6063-A922-00000000AF01}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000245492Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.890{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=013AF116578F33C067250A12EA63E9C0,SHA256=CDA93A2C1764CB270672E17C1E82E83D7753ED329326840245409F5FB3FF3D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245491Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.593{CB4067E1-30BC-6062-CF00-00000000AF01}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEC0BF7CAEED3944CACFA9999BE8228,SHA256=9FEF38A21C2EA7115EBDAE08C620313516DB233F0FC909601BE212425341EC42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245490Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.453{CB4067E1-516C-6063-A822-00000000AF01}3963104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245489Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-30AF-6062-9C00-00000000AF01}37363764C:\Windows\system32\conhost.exe{CB4067E1-516C-6063-A822-00000000AF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245488Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245487Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245486Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245485Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245484Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245483Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245482Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245481Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245480Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304B-6062-0C00-00000000AF01}7123440C:\Windows\system32\svchost.exe{CB4067E1-304C-6062-1F00-00000000AF01}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x8000000000000000245479Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-304A-6062-0500-00000000AF01}392408C:\Windows\system32\csrss.exe{CB4067E1-516C-6063-A822-00000000AF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x8000000000000000245478Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-30AF-6062-9800-00000000AF01}26721992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CB4067E1-516C-6063-A822-00000000AF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 154100x8000000000000000245477Microsoft-Windows-Sysmon/Operationalwin-host-847.attackrange.local-2021-03-30 16:27:24.328{CB4067E1-516C-6063-A822-00000000AF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CB4067E1-304A-6062-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CB4067E1-30AF-6062-9800-00000000AF01}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060842Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.530{7F8C56E7-516D-6063-1701-00000000AF01}55802068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F8C56E7-4E4C-6063-3300-00000000AF01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060841Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E4D-6063-3B00-00000000AF01}28842140C:\Windows\system32\conhost.exe{7F8C56E7-516D-6063-1701-00000000AF01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060840Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060839Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060838Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060837Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3C-6063-0C00-00000000AF01}832860C:\Windows\system32\svchost.exe{7F8C56E7-4E4C-6063-2D00-00000000AF01}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821 10341000x80000000000000001060836Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E3A-6063-0500-00000000AF01}412528C:\Windows\system32\csrss.exe{7F8C56E7-516D-6063-1701-00000000AF01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f 10341000x80000000000000001060835Microsoft-Windows-Sysmon/Operationalwin-dc-877.attackrange.local-2021-03-30 16:27:25.405{7F8C56E7-4E4C-6063-3300-00000000AF01}23643588C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F8C56E7-516D-6063-1701-00000000AF01}5580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffff